Symantec Issues More Unvalidated SSL Certificates

Symantec, who is already on probation for issuing inappropriate SSL certificates, issued more than a hundred additional “illegit” certificates.

SSL certificates – more technically TLS certificates – are the bits of technology required to make those “secure” web sites work.

Certificates are issued by certificate authorities (CAs) – organizations who have supposedly set up processes and controls to only issue certificates to, for example, the real owners of web sites, among many other rules.

There is a CA oversight board that actually has the authority to shut down CAs who do not follow the rules, but that almost never happens because it would put those companies out of business.

In this most recent case, Symantec was found to have issues at least 108 bogus certificates. 9 of the certificates were issued without the knowledge of the web site owner;  the rest were issued without proper validation.

Some of these bogus certificates were revoked quickly, but some were not.

Even after the certificates are revoked, there are many situations where the bogus certificates might still work in a browser.

This is the reason that there are many rules for CAs to follow.  Only, they don’t always do that.  It is highly unlikely that anything will happen to Symantec as a result of this second bogus certificate issue.  Last year, Symantec issued bogus certificates to Google, among other sites.  Those certificates would allow a hacker, for example, to create a fake GMail site and attract visitors to it.  Anyone who visited the fake site and logged in would have his or her GMail credentials compromised and give the attacker the ability to read all of his or her mail.

The Symantec owned CAs in question are Symantec Trust Network, GeoTrust and Thawte.

After Symantec’s mistake last year, Google required Symantec to log all certificates it issues in a “transparency log” – just so that researchers can check on them.  Whether all of the bogus certificates were caught or not is probably a subject to debate.  Google and the other major browser vendors that run the CA oversight board can dictate to the CAs what they have to do because the browsers have to accept the CA’s master key.  If Google or another browser vendor were to stop accepting Symantec’s master key – as they have done for the Chinese CA WoSign – then all of the certificates that they issue will generate an error message when a user tries to initiate an HTTPS session using that browser.

Given Symantec issues so many certificates, it could fall into the “too big to fail” category, making it hard for the CA oversight board (technically the CA/Browser Forum) to shut them down.

My suggestion is to use a different CA – there are lots of them.  Sending a message with your checkbook is always a prudent practice.

Information for this post came from Ars Technica.

Leave a Reply

Your email address will not be published.