Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec Subsidiary Thawte Issues Rogue Google Certificates

Posted by timothy on from the tough-day-indeed dept.

New submitter jack_babylon writes: On September 14th, Symantec's subsidiary certificate authority Thawte accidentally released a "small number" of " "inappropriately issued" security certificates, apparently intended for internal testing only. However, the fact that these were logged in the wild by Google (and, apparently, DigiCert) seems to indicate that they escaped the lab, at least far enough for a false google.com cert to raise the appropriate red flags. This sounds similar to the recent acts of poor judgement that got CNNIC's certs removed entirely from Firefox and Chrome, if more limited in scope and more quickly addressed (through, among other things, termination of some Symantec employees). (And like all reports one hopes go away quietly, these were released in the dead of a Friday night — h/t BoingBoing for noting this news.)

5 of 103 comments (clear)

  1. Re:How is this possible? by whoever57 · · Score: 5, Interesting

    Not the GP poster, but here goes:

    The ideal situation is that the Certificate owner generates a signing request and has that signed, so the original key does not go outside the certificate owner.

    However, there is nothing in the current setup to prevent a certificate authority from generating a request in the name of any domain and signing it. That's what appears to have happened here.

    The real question is 'why?'. The explanation ("testing") doesn't pass muster. Someone would have to deploy these certificates on a service that was either a Google property or was masquerading for a Google property. Does Google outsource the deployment of certificates? I would doubt this very much, which suggests that this wasn't so much an accident as the influence of a TLA.

    --
    The real "Libtards" are the Libertarians!
  2. Re:How is this possible? by xous · · Score: 3, Interesting

    Any trusted certificate authority can issue certificates for ANY domain. This is the trust aspect that is required in a PKI.

    Your browser gets a list of trusted root certificates and will accept any valid certificate issued by these CAs. On my windows 8 box there are 53. Any of these providers could issue certificates for any number of domains.

    The failure here is that Thawte allowed those certificates to be issued for ANY reason.

    Google is their own certificate authority and likely has no need for a relationship with Thawte.

  3. CAs are the problem by jonwil · · Score: 3, Interesting

    The problem is that any of the many entities your browser trusts can create a valid certificate for any domain and the browser will just accept it.

    What we need is to move away from CAs and adopt a new system for storing the information needed to make a web connection secure. Storing keys in DNS and using DNSSEC to secure that is one option. And there are others (although I can't actually remember any of them off the top of my head).

    If you have a situation where its impossible for anyone other than the actual owner of the domain to store a key, its not possible for a rogue CA (or a hacked CA ala DigiNotar or one that has been co-oped by a government or intelligence agency) to issue a bogus certificate or a bogus public key.

    What I dont get is why there is no real interest from the people who came up with these alternatives to push them particularly hard and why there is basically zero interest from the people and entities who write the software that the web runs on (browsers, servers etc) to make any moves towards using these new systems.

  4. Re:Instantly executed by behrooz0az · · Score: 3, Interesting

    I live in Iran, most probably they were issued for my government, this is the most practical solution here.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
  5. Re: SubjectsInCommentsAreStupid by Zocalo · · Score: 4, Interesting

    Why?

    Let's see. Based on what information we have so far, which almost certainly isn't the whole story, the incident happened on Friday night. It's now early Sunday morning in the US and some employees have already been terminated, presumably for gross misconduct since mistakes can (and do) happen, so that alone implies this was probably a willful act and the perpetrators were somehow either caught in the act or there was a clear audit trail when the fake "google.com" certificate came to light. There have already been allegations that the US' TLA agencies have been planting employees in US tech companies for such purposes so OP's conclusion isn't completely out of the field, although it could just as easily have been a large criminal organization or foreign government. Due to the requirements of making effective use of fraudulent certificate it's highly unlikely to have been a get rich quick scheme dreamed up by those involved without some form of government/organized crime support.

    I expect this will blow over very quickly for Thawte. They appear to have procedures in place to tie specific certs to specific individuals, will no doubt already have revoked the certificates concerned, and we can probably expect some explanatory notice to be published in the next few days to explain their version of events; there really isn't much more they could have do in the face of rogue employee. They should also be handing what evidence they have over to law enforcement for potential prosecutions, which could get interesting if the individuals involved were indeed working at the behest of a US security agency...

    --
    UNIX? They're not even circumcised! Savages!