Establishing Digital Trust: Don't Sacrifice Security for Convenience
In the modern SSL/TLS certificate system, certificate authorities (CAs) are considered trusted authorities, responsible for issuing and validating certificates. But what happens when a CA mis-issues a certificate?
That's what happened last week as Symantec's Thawte CA erroneously issued an extended validation (EV) certificate for google.com and www.google.com.
"During our ongoing discussions with Symantec we determined that the issuance occurred during a Symantec internal testing process," Google security online security staff wrote in a blog post.
Quentin Liu, VP of Engineering at Symantec, wrote in a blog post that the certificates were only test certificates and remained within Symantec's control. There was never any danger to the Internet as a result of the mis-issued certificates, he noted.
Mis-issued certificates in the past have posed security risks. In such cases, certificates were typically the result of some form of external third-party hack. In 2011, the DigiNotar CA was breached, ultimately leading to the total collapse of DigiNotar as a business.
In last week's case, Symantec is taking quick action against the employees responsible.
"We discovered that a few outstanding employees, who had successfully undergone our stringent on-boarding and security trainings, failed to follow our policies," Symantec stated. "Despite their best intentions, this failure to follow policies has led to their termination after a thoughtful review process."
While Symantec acted quickly, a Google technology called Certificate Transparency helped identify the rogue certificate. Somewhat ironically, Certificate Transparency logs from both Google and rival CA DigiCert alerted Google to the mis-issued certificates.
The mis-issued certificates were EV certificates, which are supposed to carry with them an expanded validation and verification process from the issuing CA. The Certificate Transparency effort only works with EV certificates and requires CAs to publish certificate information to CT logs. The basic idea behind requiring CAs to publish certificate information in the CT log is to offer some form of monitoring and visibility into certificate issuance.
In an interview earlier this year, DigiCert CSO Jason Sabin said that Certificate Transparency shines a light on CA practices and permits website operators to quickly detect and remediate unauthorized certificates.
If this new Symantec mis-issuance is any indication, it's clear that Certificate Transparency is working as it should.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.