1232217 - Symantec caught issuing certificates for properties it has no control or authority

Status: RESOLVED DUPLICATE of bug 1229445

(CA Program :: CA Certificate Root Program, task)

Description

[Jeffrey Walton]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:42.0) Gecko/20100101 Firefox/42.0
Build ID: 20151029151421

Steps to reproduce:

Publicly reported at "Google tears Symantec a new one over rogue SSL certs", http://www.theregister.co.uk/2015/10/29/google_symantec_dodgy_certs/.

I believe this is a violation of Mozilla's inclusion policies, and a violation of Symantec's CPS. It looks like Trustwave, CNNIC, etc all over again.

I could not find a bug report covering it, so here it is....

**********

... In September it emerged that Symantec's subsidiary Thawte generated a number of SSL certs for internal testing purposes.

One of these certificates masqueraded as a legit cert for Google.com, meaning it could be used to trick web browsers into thinking they had connected to Google's site when really the browser had connected to a potentially malicious server.

The Chocolate Factory discovered the rogue cert using its Certificate Transparency project, and it was furious: Google never gave Thawte permission to generate the certificates, and was irked by Symantec's sloppiness.

Thawte insisted the rogue certificates never at any point left the lab, and that no one outside the company had obtained copies of the SSL certs.

Alarmed that Thawte's engineers were playing around with highly sensitive and powerful certificates, Google demanded a full investigation. Symantec found 23 dodgy certs, fired some of the staff involved, and conducted what it said was a full review, but now it turns out the biz botched that too.

According to Google software engineer Ryan Sleevi, the internet goliath found several more certificates that weren't mentioned in Symantec's report, and demanded the firm look again. On October 12, Symantec said they had found that another 164 rogue certificates had been issued in 76 domains without permission, and 2,458 certificates were issued for domains that were never registered.

"It's obviously concerning that a certificate authority would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit," Sleevi said on Wednesday.

"Therefore, we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner."

If Symantec wants its certificates recognized by the Chrome web browser, Google has said the firm must update the original report with all the details and an explanation of what went wrong. This Symantec has now done (you can read it here), but the biz has more hoops to jump through if it wants Chrome to accept its certificates going forward.

Symantec will also need to give Google a detailed timeline for the process behind the creation of each certificate and a list of things it will do to make sure it doesn't happen again. Since this involves confidential information, Google won't be making that information public.

In addition, Symantec must hire a third-party security auditor to conduct a full audit and check that private keys have not been exposed and that auditing software works as specified. In addition, the auditors will ensure that Symantec is compliant in the following areas:

    WebTrust Principles and Criteria for Certification Authorities
    WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security [PDF]
    WebTrust Principles and Criteria for Certification Authorities – Extended Validation [PDF]

If Symantec bungles this second chance, come June 2016, Google Chrome and other Google apps will warn netizens not to trust any websites that use new Symantec-backed certificates.

This will encourage web developers to avoid using Symantec-issued SSL certs for their HTTPS-encrypted websites, and similar services, dealing a damaging blow to Symantec.

"While there is no evidence that any harm was caused to any user or organization, this type of product testing was not consistent with the policies and standards we are committed to uphold," Symantec told The Register in a statement.

"To prevent this type of testing from occurring in the future, we have already put additional tool, policy, and process safeguards in place, and announced plans to begin Certificate Transparency logging of all certificates. We have also engaged an independent third party to evaluate our approach, in addition to expanding the scope of our annual audit."