Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec Subsidiary Thawte Issues Rogue Google Certificates

Posted by timothy on from the tough-day-indeed dept.

New submitter jack_babylon writes: On September 14th, Symantec's subsidiary certificate authority Thawte accidentally released a "small number" of " "inappropriately issued" security certificates, apparently intended for internal testing only. However, the fact that these were logged in the wild by Google (and, apparently, DigiCert) seems to indicate that they escaped the lab, at least far enough for a false google.com cert to raise the appropriate red flags. This sounds similar to the recent acts of poor judgement that got CNNIC's certs removed entirely from Firefox and Chrome, if more limited in scope and more quickly addressed (through, among other things, termination of some Symantec employees). (And like all reports one hopes go away quietly, these were released in the dead of a Friday night — h/t BoingBoing for noting this news.)

4 of 103 comments (clear)

  1. Re: Considering John Thompson's... by Anonymous Coward · · Score: 2, Informative

    My brother had to cancel his honeymoon last month. He had his vacation time denied by Microsoft. The thing that has made him so angry is that since then several Indian coworkers have been allowed two week or longer vacations.

  2. Re:How is this possible? by petermgreen · · Score: 4, Informative

    Your browser gets a list of trusted root certificates and will accept any valid certificate issued by these CAs. On my windows 8 box there are 53. Any of these providers could issue certificates for any number of domains.

    Worse those providers can issue "intermediate certificates" which also have the power to issue certificates for any number of domains. They can and do issue those intermediate certificates to third parties. So the list of root certs in your browser is not a complete list of entities who can issue certs your browser will trust.

    There was recently an extension added to allow intermediate certs to be limited to certain ranges of names but that only helps in clients new enough to recognise the extension.

    There was also recently an extension added for "key pinning" which makes bogus certs less useful.

    Google is their own certificate authority.

    At least when I go to google and check the cert I get a cert that has a google intermediate and a geotrust root. I don't see any evidence of name constraints on said intermediate cert though :(

    --
    note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
  3. Re:Operation Flying Pig by khellendros1984 · · Score: 4, Informative

    As for browsers, I should be able to remove Thawte from the trusted chain

    Go ahead. In Firefox, hamburger->options->advanced->certificates->view certificates. Find the two headings for Thawte and set all of their entries to "distrust". I've no idea exactly how much of the web will stop working correctly after that, but it's not hard to do.

    I should be able to configure a warning if a domain has changed its certificate authority chain since the last time we saw it.

    You should, and I'm sure there's some kind of add-on or setting for that, but I don't know what it would be off the top of my head.

    --
    It is pitch black. You are likely to be eaten by a grue.
  4. Re: Operation Flying Pig by Anonymous Coward · · Score: 2, Informative

    Certificate Patrol would be that plugin : https://addons.mozilla.org/addon/certificate-patrol/
    But I cannot understand why it is used so rarely. There also used to be DANE Patrol which used to do the same thing while being able to handle multiple certs for 1 domain (think Google) made by Czech NIC, but it is not developed anymore and they recommend not to use it.