Google slams Symantec over 'questionable' digital certificates

A security company ought to do a lot better over a security issue, argues Google, as it subjects Symantec digital certificates to 'special measures'

Google has blasted security software giant Symantec over mis-issued digital certificates for its own web domain, Google.com, in September.

Back then, Google had issued an advisory, warning users of Chrome - and, by implication, Opera - of the error.

"On September 14, around 19:20 GMT, Symantec's Thawte-branded CA [certificate authority] issued an Extended Validation (EV) pre-certificate for the domains google.com and www.google.com. This pre-certificate was neither requested nor authorized by Google.

"We discovered this issuance via Certificate Transparency logs, which Chrome has required for EV certificates starting January 1st of this year. The issuance of this pre-certificate was recorded in both Google-operated and DigiCert-operated logs.

"During our ongoing discussions with Symantec we determined that the issuance occurred during a Symantec-internal testing process," claimed Google.

A number of Symantec employees were fired for issuing the unauthorised certificates after Google went public with its findings.

The matter was a series web security issue because fake certificates could be used to intercept and decrypt credt card data, cookies and other encrypted traffic bound for Google.

"We discovered that a few outstanding employees, who had successfully undergone our stringent on-boarding and security trainings, failed to follow our policies. Despite their best intentions, this failure to follow policies has led to their termination after a thoughtful review process," wrote Quentin Liu, vice president of engineering at Symantec.

In a blog posting overnight, however, Google software engineer Ryan Sleevi revealed that that won't be the end of the matter.

According to Sleevi, although Symantec acknowledged the error, Google was still able to find several more "questionable certificates" and, after an audit, Symantec admitted that it had found an additional "164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered".

As a result, Google is planning to require that all certificates issued by Symantec be required to support Certificate Transparency, an experimental IETF open standard and open source framework for monitoring and auditing digital certificates, from June 2016. "After this date, certificates newly issued by Symantec that do not conform to the Chromium Certificate Transparency policy may result in interstitials or other problems when used in Google products," warned Sleevi.

He continued: "More immediately, we are requesting of Symantec that they further update their public incident report with:

"1. A post-mortem analysis that details why they did not detect the additional certificates that we found;
"2. Details of each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure.

"We are also requesting that Symantec provide us with a detailed set of steps they will take to correct and prevent each of the identified failures, as well as a timeline for when they expect to complete such work. Symantec may consider this latter information to be confidential and so we are not requesting that this be made public.

"Following the implementation of these corrective steps, we expect Symantec to undergo a Point-in-time Readiness Assessment and a third-party security audit."

Furthermore, he added, Google reserves the right to take further action "as additional information becomes available to us", he warned.