Symantec Issues Fraudulent Google SSL Cert

In the modern SSL/TLS certificate system, certificate authorities (CAs) are considered trusted authorities, responsible for issuing and validating certificates. But what happens when a CA mis-issues a certificate?

That’s what happened last week as Symantec’s Thawte CA erroneously issued an extended validation (EV) certificate for google.com and www.google.com.

“During our ongoing discussions with Symantec we determined that the issuance occurred during a Symantec internal testing process,” Google security online security staff wrote in a blog post.

Quentin Liu, VP of Engineering at Symantec, wrote in a blog post that the certificates were only test certificates and remained within Symantec’s control. There was never any danger to the Internet as a result of the mis-issued certificates, he noted.

Mis-issued certificates in the past have posed security risks. In such cases, certificates were typically the result of some form of external third-party hack. In 2011, the DigiNotar CA was breached, ultimately leading to the total collapse of DigiNotar as a business.

In last week’s case, Symantec is taking quick action against the employees responsible.

“We discovered that a few outstanding employees, who had successfully undergone our stringent on-boarding and security trainings, failed to follow our policies,” Symantec stated. “Despite their best intentions, this failure to follow policies has led to their termination after a thoughtful review process.”

While Symantec acted quickly, a Google technology called Certificate Transparency helped identify the rogue certificate. Somewhat ironically, Certificate Transparency logs from both Google and rival CA DigiCert alerted Google to the mis-issued certificates.

The mis-issued certificates were EV certificates, which are supposed to carry with them an expanded validation and verification process from the issuing CA. The Certificate Transparency effort only works with EV certificates and requires CAs to publish certificate information to CT logs. The basic idea behind requiring CAs to publish certificate information in the CT log is to offer some form of monitoring and visibility into certificate issuance.

In an interview earlier this year, DigiCert CSO Jason Sabin said that Certificate Transparency shines a light on CA practices and permits website operators to quickly detect and remediate unauthorized certificates.

If this new Symantec mis-issuance is any indication, it’s clear that Certificate Transparency is working as it should.

Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner
Sean Michael Kerner
Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

Top Products

Top Cybersecurity Companies

Cybersecurity is the hottest area of IT spending. That's why so many vendors have entered this lucrative $100 billion+ market. But who are the...

Top CASB Security Vendors for 2021

Any cloud-based infrastructure needs a robust cloud access security broker (CASB) solution to ensure data and application security and integrity. After carefully surveying the...

Top Endpoint Detection & Response (EDR) Solutions for 2021

Endpoint security is a cornerstone of IT security, so our team put considerable research and analysis into this list of top endpoint detection and...

Top Next-Generation Firewall (NGFW) Vendors

Cybersecurity is getting more complicated, and so are security products. NGFWs are no exception, and IoT devices and the work-from-home craze that began in...

Related articles