Google Threatens Action Against Symantec After Botched Investigation

itwbennett writes: Through its acquisition of Verisign's authentication business unit in 2010, Symantec became one of the largest certificate authorities (CAs) in the world. In September of this year, Google discovered that Symantec had issued a pre-certificate for google.com without its knowledge. Symantec's initial investigation of the incident determined that 23 test certificates had been issued for domain names belonging to Google, Opera and three other unnamed organizations. But Google quickly found additional unauthorized certificates that Symantec missed. Now, Google wants Symantec to disclose all certificates issued by its SSL business going forward.

Symantec is a sales organization

[vvaduva]

Symantec has stopped being a "security company" long ago and has become a massive sales organization focused on little more than quarterly results rather than quality products. They've ruined PGP...Verisign is next. Who knows what else they are working on destroying?

Self Signed

I can't believe people would trust anything other than self signed certificates.

I do not understand what is so scary about a message saying, "hey, you've never been to this SSL domain before and it has a self signed certificate. A self signed certificate means that the owner of the domain created a certificate which is used to encrypt communications between your browser and the domain. In order to browse this site you must accept this certificate however you must be sure that this is the domain which you intended. Click here to read more about Self Signed Certificates..."

Then get rid of trusted (obviously no such word) certificate authorities and do it like SSH has been for decades.

If people are that concerned about the first visit to a site, just call your friend in some other location and have that person confirm that the certificate is the same that they are using.

It's a huge waste of time how it works now, but I suppose it keeps a lot of people in business.

Re:Self Signed

If you are running a utiliy like Convergence or Perspectives to monitor certificates, I'll buy your solution. Otherwise, you're just setting yourself up for a MITM attack.

Re:Self Signed

who trusts google?

The issue isn't whether you trust Google, the issue is whether, when you go to a Google website, you can actually trust that that is a Google website.

If you don't trust Google, don't go to Google websites, and this specific case won't affect you. BUT, given who Google is, this brings into question *all* website certs issued by this company.

So the trusted middleman is no longer trusted?

Seriously, the whole point of a CA is that it's a *trusted* party... who trusts them these days? How can they still claim a piece of this business pie???

Wny did they need the certificates?

[Todd+Knarr]

I'd wonder why they needed test certificates at all? For any testing of their systems and software they could use fake domains and organizations located under a domain they own and use just for that purpose (I used the .ttk TLD for that sort of thing for years, back before the gTLD flood). If they were testing issuing of certificates to specific organizations, there wouldn't be any need for them to ever get to servers. I can think of no good reason Symantec would need to have certificates issued to Google, and several bad reasons why an antivirus product would want a certificate that'd be accepted as a genuine certificate for a Web site.

Certs for NSA to spy on google

[ealbers]

The certificates were used for man in the middle attacks, to decrypt google stuff before it got to them by the NSA.

What is a pre-certificate?

[LordKronos]

Sorry, but I have no clue what a pre-certificate is. Google search doesn't seem to help me either.