Slashdot Mirror
Symantec Subsidiary Thawte Issues Rogue Google Certificates
New submitter jack_babylon writes: On September 14th, Symantec's subsidiary certificate authority Thawte accidentally released a "small number" of " "inappropriately issued" security certificates, apparently intended for internal testing only. However, the fact that these were logged in the wild by Google (and, apparently, DigiCert) seems to indicate that they escaped the lab, at least far enough for a false google.com cert to raise the appropriate red flags. This sounds similar to the recent acts of poor judgement that got CNNIC's certs removed entirely from Firefox and Chrome, if more limited in scope and more quickly addressed (through, among other things, termination of some Symantec employees). (And like all reports one hopes go away quietly, these were released in the dead of a Friday night — h/t BoingBoing for noting this news.)
That's some very suspicious "testing", kids.
What are you up to?
Perhaps in bed with some three-lettered thugs?
Ha ha ha ha!
We're all screwed.
You have a horrible misunderstanding of certificates.
Sure. They violated security protocol "by accident" and compromised everyone's security "by accident".
If they start over and make a secure system, I predict it will be made illegal.
Sorry I fell for him then.
So the system is designed broken so that any cert can issue fraudulent certificates? Sounds right. Jesus.
At one point they were the only company that allowed you to run an HTTPS server with open source. It's sad to see that VeriSign has so destroyed a good company.
Explain.
My understanding of x509 is that google is supposed to generate signing reqs
Anyone can generate a CSR+keypair for "*.google.com".
It's up to the CA to validate the request before signing it.
In this case, it was the CA itself that generated the bogus CSR, then signed it, then let the keypair leak into the wild.
Nice job Thawte!
Not the GP poster, but here goes:
The ideal situation is that the Certificate owner generates a signing request and has that signed, so the original key does not go outside the certificate owner.
However, there is nothing in the current setup to prevent a certificate authority from generating a request in the name of any domain and signing it. That's what appears to have happened here.
The real question is 'why?'. The explanation ("testing") doesn't pass muster. Someone would have to deploy these certificates on a service that was either a Google property or was masquerading for a Google property. Does Google outsource the deployment of certificates? I would doubt this very much, which suggests that this wasn't so much an accident as the influence of a TLA.
The real "Libtards" are the Libertarians!
Really?
Seriously?
Any trusted certificate authority can issue certificates for ANY domain. This is the trust aspect that is required in a PKI.
Your browser gets a list of trusted root certificates and will accept any valid certificate issued by these CAs. On my windows 8 box there are 53. Any of these providers could issue certificates for any number of domains.
The failure here is that Thawte allowed those certificates to be issued for ANY reason.
Google is their own certificate authority and likely has no need for a relationship with Thawte.
Makes sense, and is basically what I said, but I assumed that thawte was handling google's certs for them. Thanks for the clarification.
Google is their own certificate authority and likely has no need for a relationship with Thawte.
That I did not know.
now?
And Thompson was head of the committee that picked Satya. That was a terrible choice given the racial problems here. Probably the biggest one is the vacation inequality. Most Americans have a hard time getting even a long weekend approved while the employees from Asia have no problem getting two or more contiguous weeks off. Yes, the travel to India is expensive and takes a long time so you need two weeks, but it’s currently being allowed at the expense of the rest of us. Also, we are required to take the slack. So, we don’t get time off and we have to work even harder.
Yes, I assumed that thawte was managing google's certs for them when I wrote that.
From the summary: "...termination of some Symantec employees..."
Is this the first time that individuals were held responsible for online negligence? What happens to a CEO or CIO when data on millions of people slips out due to negligence? Has anyone ever been fired before (not just a flunky, but a responsible executive)?
The penalties for corporate irresponsibility are so small that there is no incentive to do the right thing. Actually, this case may be an exception because both Thawte and Symantec have a reputation to protect- they might actually fire an executive. The question remains (and you can ask the same of Wall Street criminals)- when has any executive ever paid for this kind of negligence?
...omphaloskepsis often...
> vacation inequality.
That is a great term for it. I haven't heard it before. The morale for those of us that have been here for over a decade is pretty low. It wears you down when certain people get long vacations while others can't. Microsoft is treating its most experienced and best developers like crap. I hit my vacation cap about 11 years ago so it is depressing to just continue to keep losing more and more vacation time.
Microsoft has really hit a low. We all thought Ballmer was as bad as it could be, but when you hire the former head of Symantec, it shows you've given-up on making good products. They're now just milking it as long as they can.
He is friends with Obama and is getting rid of many of the best and most experienced people in the name of diversity. The current unfairness in the vacation policy is just one of the many things that is killing morale. I hate going to work now. Most of my coworkers are angry and fed-up.
Security company dicking up the one thing they are supposed to be good at.
locate -i thawte|sudo xargs rm -rvf
Jast as i did for diginotar and comodo
you're not special bitches.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
To apply for the job, please contact DICE Holding Inc.
Really, the word salad in the second to the last sentence is making my eyes bleed. Is proper king's English now optional, on lazy Saturday nights, here?
My brother had to cancel his honeymoon last month. He had his vacation time denied by Microsoft. The thing that has made him so angry is that since then several Indian coworkers have been allowed two week or longer vacations.
That is the fault of white employees that don't quit after they're treated unfairly. Most of my Indian friends would quit if they were told they couldn't go home. Us white employees at Microsoft are doing it to ourselves.
Sure it's not a perfect fix but publishing the signatures of your ssl certs in DNS would care care of a lot of this low hanging fruit. A standard for cosigning your certs and pinning that cert would also help.
The end effect is needing to break multiple vectors not any of a multitude of root level CA's.
No sir I dont like it.
And is now causing horrific race problems here. Too many long time employees are being driven out in the name of diversity. Microsoft has a quality problem, and hiring based on race instead of ability is just a going to make things worse.
It's not that Google or Thawte have failed to correctly revoke certificates: it's that far too many people, at far too many sites and with far too many technologies, do not actually keep their signature authorities up-to-date. Because these people don't update signature authorities, they are unable to verify numerous valid certificates. These people then simply set their automated procedures, or make it their personal practice, to accept invalid certificates.
The notable case of this I saw recently is RHEL 5, where the signature authority information in the /etc/pki files managed inside the openssl packages, and updating openssl on a live server is likely to cause fascinating problems for an old, stable, production server. RHEL 6 sensibly put the root SSL keys in a separate package, but it's certainly not an unusual problem.
It's all good now. Employees have been fired and some guy on a Symantec blog said the internet was never at risk. We all can relax and enjoy life.
lucm, indeed.
Thompson really screwed over the white employees of Symantec. It's no surprise that racist would do the same at Microsoft. The company at never recover.
Microsoft has always had racist vacation policies. When I was there in 1982 the white employees weren't allowed a single day off while the few Indian guys we had were allowed to take two to three weeks off to go home to India. This racism is nothing new for Microsoft.
Your browser gets a list of trusted root certificates and will accept any valid certificate issued by these CAs. On my windows 8 box there are 53. Any of these providers could issue certificates for any number of domains.
Worse those providers can issue "intermediate certificates" which also have the power to issue certificates for any number of domains. They can and do issue those intermediate certificates to third parties. So the list of root certs in your browser is not a complete list of entities who can issue certs your browser will trust.
There was recently an extension added to allow intermediate certs to be limited to certain ranges of names but that only helps in clients new enough to recognise the extension.
There was also recently an extension added for "key pinning" which makes bogus certs less useful.
Google is their own certificate authority.
At least when I go to google and check the cert I get a cert that has a google intermediate and a geotrust root. I don't see any evidence of name constraints on said intermediate cert though :(
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
The problem is that any of the many entities your browser trusts can create a valid certificate for any domain and the browser will just accept it.
What we need is to move away from CAs and adopt a new system for storing the information needed to make a web connection secure. Storing keys in DNS and using DNSSEC to secure that is one option. And there are others (although I can't actually remember any of them off the top of my head).
If you have a situation where its impossible for anyone other than the actual owner of the domain to store a key, its not possible for a rogue CA (or a hacked CA ala DigiNotar or one that has been co-oped by a government or intelligence agency) to issue a bogus certificate or a bogus public key.
What I dont get is why there is no real interest from the people who came up with these alternatives to push them particularly hard and why there is basically zero interest from the people and entities who write the software that the web runs on (browsers, servers etc) to make any moves towards using these new systems.
"BRUNSWICK >> A Brunswick man was arrested Thursday for tampering with town letterhead.
State Police said Leslie C. McDermott, 49, of Brunswick was charged with first-degree criminal tampering, a felony. He is accused of tampering with letterhead from the Town of Brunswick building inspector’s office to create a falsified document to satisfy a real estate transaction."
I guess we now know who provides NSA false certificates (they man-in-the-middled Google https before), so now I'd like to distrust all Thawte certs.
So no, they won't be prosecuted, or removed from the chain, or anything, because Stasi are loyal to Stasi.
Racist is the correct word. When HR won't standup for you because you're white and admits freely that the company's policy is to not allow vacation time to whites, but allow three weeks contiguous every year to the Indian employees, then you are past the point of no return.
This isn't the first time a certain agency has man-in-the-middled Google with fake certs:
https://www.techdirt.com/articles/20130910/10470024468/flying-pig-nsa-is-running-man-middle-attacks-imitating-googles-servers.shtml
If they don't remove Thawte for faking a Google certificate, how much bigger a fake does it need to be to remove their authority??
As for browsers, I should be able to remove Thawte from the trusted chain, and I should be able to configure a warning if a domain has changed its certificate authority chain since the last time we saw it.
The government probably asked Symantec to make them some Google certificates.
He is a racist. Why would you expect him to do anything different? That is also why he is friends with Obama. White employees at Microsoft are now treated like garbage. They treat us like garbage.
I worked for him at Symantec. He hated me for being white. He didn't allow me to take a single vacation day off in over two years. My daughter was in NICU so it sucked not being able to see her. He later made fun of me for my "bad genetics."
That's like the too-big-to-fail argument, the idea that you can't let a corp fail because its too big.
ALL of the TLS certificates ARE invalid, because if we can't trust the certificate system then the basis for certificates is invalid.
Two other strategies are certificate pinning and certificate transparency. For pinning, you declare that only a certain intermediary CA (or root CA) may sign certs for your domain. So Google basically declares that all *.google.com certs must be signed by the specified Google CA. This information can either be hardcoded in the browser (for major sites) or relayed the first time the browser contacts the domain. So with hardcoded pinning, only Google can sign their certs. With http-pinning, another CA could only spoof the cert if the user had never loaded Google before.
The other initiative is certificate transparency. Basically it's a public log of all certs issued by participating CAs. (Non-participating CAs shouldn't be trusted by default). Transparency would have prevented the false Google cert that happened a year or two ago because the unrestricted signing cert granted to the customer would have been immediately flagged as suspicious. If an invalid cert is signed directly by a trusted root CA, it can be detected immediately because Google would be monitoring the public logs and see a cert being issued for their domain. Smaller companies which don't want to directly monitor logs themselves can sign up for a notification service. Suppose I offer such a service and you are my customer. Any time a cert is issued for one of your domains, I'd call you and let you know. You could then take immediate action if it was improper. A company offering such a service would probably also offer assistance in handling the situation.
https://productforums.google.c...
"I am seeing "certified by Thawte Consulting (Pty) Ltd when I point cursor to googlemail. Is it normal or fishy?"
I always thought it was some untrustworthy African name.
Ultimately that's a patch put over the problem.
If we built a system that removed the certificate authorities then more sites would be secured because the barrier to encryption would be lowered. There is less reason to trust a Thawte cert for site X than trust site X's own cert.
I would also be suspicious of Norton Anti-virus at this point, and any Symantec code signing. Rogue employee my ass!
Certificates are there for security, and if it's so easy for Symantec or whoever to fabricate certificate (Google or whoever), no matter if it's for 'internal use' or for the 3-letter bedfellows, something is not right!
The CNNIC incident was a real accident and the removal of the root certificate from Chrome was discussed but not followed by other browser-developers. Google is a highly politicized entity closely linked to the intelligence community. The supposed subverting of the certificate by CNNIC never escaped in the wild and was purely exaggerated in the media to justfy demands for cyber warfare budgets.
Microsoft just loves to make white employees cancel honeymoons. They know marriage will be a distraction from work. Married employees are much less like to put up with "Seattle hundreds" as compared to the married ones. I put up with it for nearly a decade, but working a hundred hours a week finally wore me down, and I had to quit. There's definitely two different sets of standards there. Upper management doesn't mind when an Indian employee gets married, but when an American tries, they fight it with every thing they have.
At Symantec there definitely were two classes of people when it came to vacation time. I know I wasn't allowed a single day off the nearly three years I worked there while Thompson was in charge. It sounds like from the comments here that he is doing the same at Microsoft.
You just described HR everywhere. They protect the company and not the employee. After working for almost a dozen different startups in the Seattle area, I'm fedup. I haven't had an entire week off since 1994, but most of my Indian coworkers get two or more weeks off every year. Of course complaining to HR does no good.
IMHO this is a perfecr example of why DANE, and DNSSEC needs to be implemented in both servers/and client software ASAP.
He was only hired because of his White House connections. In every other way he is an incompetent moron that was only hired for his race, but you can't blame Gates for wanting access to Obama.
This is true. I know a Thawte partner in Spain that by default and without asking, generates a key and makes that key be signed by Thawte, then sends you he key and certificate by email. I was served this way even for a renewal!!
When I told the clerk I wasn't putting THAT private key on any server whatsoever and asked WTF were they doing, he told me it was std procedure. I just asked contact with a supervisor who understood something about security.
After that I was allowed to send an appropiate CSR for the procedure. They also told me they were revoking the roge certificate they created...
So yes, it's not only that CA concept is broken, even they and their partners don't know how to handle things securely.
Security requires both encryption and trusted identification. The first is easy, the second is what the CAs are for.
Does America really suck that hard in tje HR areas? Over here in Europe there is guaranteed 4 to 5 weeks vacation.
What needs to happen until a corporation is terminated?
That is the main issue here. As human beings, we understand there are limits to what we can do before we face really serious consequences. I mean jail time, not monetary punishment. Money is simply an expense. It might hurt, even hurt a lot, but it is not on the same level as being locked up.
Where is the jail time equivalent for corporations, and why do we continue to believe that we can somehow control them without it? To take back control of our worlds from corporations running amok over it, we need this.
To fire a number of employees means something very seriously went wrong. It also means the corporation allowed it to go wrong. This could be rogue employees the way someone robbing a bank with your car had lied to you when borrowing it, saying he needs to visit his ill grandmother urgently. Or it could be that you gave a gun to an obviously unstable kid when he said he's going to school and he's angry. You really should have at least asked a few more questions before handing over the firearm.
So what will happen to Thawte in response?
Assorted stuff I do sometimes: Lemuria.org
I just checked the google SSL cert for gmail. I cannot find the pinning you mentioned in any of the certificate extensions. How is that done exactly?
And the CA's have proven to be more interested in the sales part of the business than in the security part of the business. Thawte requires more checks than most systems, but the middleman certificate authorities such as DigiNotar have proven incompetent and apparently had their _signing_ keys stolen. And for many signature authorities, it's quite simple to request, pay for, and be issued a fraudulent new corporate SSL certificate for another company due to poor verification of the client identity. That's social engineering, not a technical engineering hack, and it's embarrassingly common place. I do it as a matter of course when the original purchaser of the SSL certificate is long gone and my company's ticket, or a partner's ticket, is expiring and I'm contacted at the last minute. It's with the cooperation of the actual owner of the website, but it's unsurprisingly easy to get passwords changed to the company's SSL account.
What's a Rogue Google, and why does it have a Certificate?
HR keeps nagging me to take my mandatory 2 weeks vacation asap (10 consecutive days out of the 26 total days per year)
In Firefox, Thawte certs always come back even when you distrust them.
I've tried several of these US cert authorities I would like to flag as distrusted but Firefox restores them automatically.
There's nothing to find in the cert. The first method on pinning is in the browser itself. Microsoft can tell their browser which keys are allowed to sign for update.windows.com before they ship the browser.
The second method is via http headers:
https://developer.mozilla.org/...
What do you mean by "manage"?
I'm using firefox and have changed the trust settings to "No Trust" for all certificates and the funny thing is, I no longer get the god damn warning about adding certs that I need to, especially self-signed certs for those websites that are hosting content but not selling. Very nice as some of the blogs I visit have those self-signed certs. Good enough for the originally intended use (secure communication) not purchasing. Do I have lots of certs added that I trust? Fuck no - I have a dozen such as those by Google (I do use gmail and apps). The others I have are for sites that use self-signed certs to offer HTTPS access. Cheap and works well for the intended purpose.
This is the worst type of offense in that business. It doesn't matter how it happened or whichever scapegoat they come up with to throw under the bus. We MUST call for Thawte to be removed from the root of trust in browsers and OS/security vendors. They CANNOT be granted a pass just because they are "too big to fail". Cue the "you had ONE job to do" memes.
If we do not hold these companies accountable, who the heck will? They NEED to be made an example of. This is the kind of misappropriation and mishandling of trust that should effectively drive a company such as Thawte into BANKRUPTCY or outright EXTINCTION. This should be the very type of egg-in-the-face that leads to the CLOSING of their doors altogether. Do not accept their public apology and allow them to continue with business as usual like nothing happened.
NEVER MIND that the whole CA idea is a flawed security model. I do NOT want to see this conversation devolve into theoretical hypothetical total replacement solutions. THIS hierarchy of CAs is the best/only thing we have right NOW. (DANE is the exact same design just a different underlying protocol stack and displacement of trust to another hierarchy.) They ALL need to be shown and see we EXPECT them to UPHOLD their end of the bargain, NO mulligans, NO do-overs, NO take-backsies.
Not that any domain should deserve special treatment over the rest but in practice it certainly does. This is Google.com we are talking about here. One does not whoops accidentally issue what amounts to a downright fraudulent cert to Google.com. This incident represents a complete and total breakdown and failure of Thawte and as far as I'm concerned, from here on out, the Thawte name should only exist as a black mark in history to remind the rest of the trust industry what happens when they mishandle that trust. They are not "too big to fail" as they HAVE FAILED US and shall be REPLACED. There are plenty of (too many) other CAs. Good ones will take up the slack and bad ones need to continue to be churned out as root anchor lists are maintained. It is NOT hard and NOT too inconvenient to have your site's cert reissued by a surviving CA.
WE NEED TO hold the companies in these hierarchies ACCOUNTABLE for their mistakes AND the mistakes of ALL AGENTS working on their behalf to show that TRUST is taken SERIOUSLY. (Even if between you and me, we really don't trust anyone in these "blessed" hierarchies anyway.)
If this sort of breach passes forgotten with a slap on the wrist or less then we seriously hinder the ability of similar trust anchors to protect themselves legally from coercion from TLAs with the claim of the potential of harm that comes from playing fast and loose with our trust and letting TLAs manipulate the "grey areas".
Tweet to @googlechrome @mozilla @microsoft or contact them by other means that you think Thawte needs to be removed in whole. If they have not revoked their trust in the next released then this issue SHOULD be filed as a BUG REPORT and considered a serious security problem and I hope anyone who values their security in the least to follow up and pursue this. This IS an example where EACH of us CAN make a difference. Make a STINK about it, that is one of our ONLY protections against this sort of thing.
I did not watch my buddies DIE face down in the MUCK so that trust could be so misappropriated and abused. Please join me in taking a stand. Please upvote my comment AND actually communicate and issue correspondence, ideally publicly, to the various maintainers of lists of trust anchors.
There's two key pinning methods in modern browsers that the GP mentioned. "Hard-coded pinning" means that the browser comes with a preset list of pinned certificates. The other is HPKP (HTTP public key pinning) which uses HTTP headers to add a site to the pin list when you visit it, ensuring that you check that the cert is the same on the next visit. Note that you can pin any cert in the chain: the CA, the intermediate CA, or the actual cert used by the domain. Usually people pin the intermediate CA cert, but if it's not under your control, then that CA can still break your security.
Hear here.
Dear Slashdot: Thank you for knowing the difference between out-of-bounds behaviour (rogue) and make-up (rouge). Because the rest of the Internet seems to be having a problem with that.
"Someone would have to deploy these certificates on a service that was either a Google property or was masquerading for a Google property"
No, they wouldn't. They could do on an internal network and test there.
If so, how would Google know that the fake certificate exists? Does Chrome report fake certs back to the mothership?
The real "Libtards" are the Libertarians!