Google threatens action against Symantec-issued certificates following botched investigation

Symantec's investigation into a case of internal testing gone wrong failed to find a large number of certificates issued without authorization.


Google wants Symantec to disclose all certificates issued by its SSL business going forward, after what Google considers a botched investigation into how Symantec employees issued SSL certificates for domain names that the company did not own.
The browser maker also wants the security firm to publish a detailed analysis of how the incident was investigated.

Through its acquisition of Verisign's authentication business unit in 2010, Symantec became one of the largest certificate authorities (CAs) in the world. Such organizations are trusted by browsers and operating systems to issue digital certificates to domain owners which are then used to encrypt online communications.

In September, Google discovered that Symantec had issued a pre-certificate for google.com without its knowledge. Even more surprising was that this certificate was an Extended Validation (EV) one, and therefore was supposed to require extensive verification of the requesting entity's identity and ownership of the domain.

Google discovered the incident because, as part of its Chrome browser policies, it requires all CAs to disclose the EV certificates they issue in a public audit log as part of a new protocol called Certificate Transparency (CT).
Following the incident, Symantec determined that the certificates in question were issued during product testing and never left the organization. It also fired several employees who failed to follow internal policies.

The company's initial investigation determined that 23 test certificates had been issued for domain names belonging to Google, Opera and three other unnamed organizations.

However, with only "a few minutes of work" Google was able to find additional unauthorized certificates that Symantec missed, calling into question the results of the company's internal audit.
In response, Symantec re-opened the investigation and uncovered an additional 164 test certificates that it issued for 76 domains it didn't own and 2,458 certificates issued for domains that hadn't been registered.

Google is now calling for Symantec to publish a detailed analysis of its failure to detect all certificates during the initial audit and wants the company to explain the root causes for each violation of existing industry policies.

The browser maker also wants Symantec to report all the certificates it issues, not just the EV ones, to the CT log in the future.

Beginning with Jun. 1, 2016, Google Chrome may start to display warnings for Symantec-issued certificates that don't support CT, Google said in a blog post Wednesday.
According to its own report on the incident, Symantec already plans to implement CT for all of its certificates until the end of this year.

"While there is no evidence that any harm was caused to any user or organization, this type of product testing was not consistent with the policies and standards we are committed to uphold," a Symantec representative said in an emailed statement Thursday. "We confirmed that these test certificates have all been revoked or have expired, and worked directly with the browser community to have them blacklisted."

The company has already put additional tools, policies and procedures in place to prevent similar incidents from occurring in the future and has engaged a third-party to evaluate their effectiveness, the representative said.

However, Google is not ready to take Symantec's word for it. It wants the company to undergo a third-party security audit in order to verify its claims that no private keys associated with the test certificates were exposed to Symantec employees, that those employees could not generate certificates with private keys that they controlled and that Symantec's audit logs were reasonably protected against tampering.