Analecta Cyber Company Blog: Symantec subsidiary Thawte caught issuing rogue Google certificates

2015-10-01

Symantec subsidiary Thawte caught issuing rogue Google certificates

Thawte, a subsidiary certificate authority of Symantec, accidentally issued a small number of security certificates for three domains (including google.com and www.google.com) which were only intended for internal product testing. Having this certificate indicates security over a computer network. Therefore, certificate authorities should exercise the utmost caution before issuing them. A rogue certificate, like the ones released by Thawte, allows someone to intercept communications between you and your bank, email provider, or employer without detection.



Incidents like this caused Google to create the Certificate Transparency initiative where browsers and users cooperate to create a nearly real-time index of every certificate released. In effect, rogue certificates will be more likely to be detected and the issuing certificate authorities struck out of the browsers' trust.

Google responds to security issue

The incident led to the issuing of an Extended Validation (EV) pre-certificate, which was recorded in both Google-operated and DigiCert-operated logs. Extended validation certificates should have guaranteed that the company had done more effort in validating the authenticity of it. But it was neither requested nor authorized by Google. They were discovered through the Certificate Transparency logs, which Google’s Chrome browser has required for EV certificates since the start of the year. The issued pre-certificate was immediately revoked after the discovery, making it valid for only one day.

Symantec claimed there was no direct impact to any of the domains and the incident never created any danger to the Internet. They stated that they are still in the process of proactively notifying the domain owners affected by the incident.

The company also confirmed employees responsible in the false issuance of security certificate had been terminated due to their negligence in following the company policies. Furthermore, they avowed continuous reasserting of their commitment as a trusted industry leader and proponent of the industry’s best practices to prevent the incident from happening again.

No comments :

Post a Comment