Symantec accused of issuing iffy digital certificates - again

Symantec slaps "audited partner" while it investigates

Symantec, one of the biggest digital certification authorities in the world, has been accused for the second time in two years of wrongly issuing a series of digital certificates.

In response, the company has revoked the certificates and instigated an investigation.

The iffy certificates were exposed by certificate vendor SSLMate over the weekend. It revealed that a number of iffy Symantec-sourced certificates had not been authorised by ICANN, while another batch appeared to be "test" certificates that SSLMate founder Andrew Ayer suggested probably covered domains owned by cyber squatters.

Digital certificates are intended to provide independent verification of the authenticity and ownership of a website in order to prevent attackers from impersonating a supposedly secure website. However, they rely upon the competence and honesty of third-party certificate authorities.

Symantec is one of the world's largest issuers of digital certificates under its own brand name, as well as GeoTrust, Thawte and RapidSSL.

Ayer said that although the company fired people after the last certificate scandal in October 2015, it appeared to have done little to tighten up its processes and procedures to prevent a recurrence.

Ayer has also criticised Symantec for issuing outdated SHA-1 certificates. "Symantec is an unbelievably bad certificate authority," Ayer added in a series of tweets.

He continued: "It looks an awful lot like Symantec never stopped using other people's domains for testing. For context, in 2015 Google caught Symantec issuing trusted SSL certs for other people's domains for testing, without authorization.

"This is a HUGE no-no. There are very specific rules certificate authorities must follow to verify that a certificate request is authorised. Even if the certs were only for testing, if a system allows employees to bypass authorisation, it will allow attackers to bypass it too.

"Google responded by requiring all new Symantec certificates be publicly logged to Certificate Transparency. Symantec made a big show of firing the people supposedly responsible. Called it leadership. But they still look like the same old Symantec to me, up to their usual tricks!" claimed Ayer.

In response to Ayer's claims published on Mail-Archive.com, Symantec product manager Steve Medin admitted that the certificates had been wrongly issued.

"The listed Symantec certificates were issued by one of our WebTrust audited partners," said Medin.

He continued: "We have reduced this partner's privileges to restrict further issuance while we review this matter. We revoked all reported certificates which were still valid that had not previously been revoked within the 24 hour CA/B [certificate authority/browser] Forum guideline - these certificates each had "O=test". Our investigation is continuing," said Medin.

In October 2015, Google slammed Symantec over what it labelled "questionable" digital certificates that the company had also "mis-issued".

Google's stinging criticisms came after Symantec, and a number of other companies that issue digital certificates, were fingered for issuing SSL certificates to fraudsters running fake banking websites.