Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Threatens Action Against Symantec After Botched Investigation (itworld.com)

Posted by timothy on from the you-must-forever-wear-this-letter dept.

itwbennett writes: Through its acquisition of Verisign's authentication business unit in 2010, Symantec became one of the largest certificate authorities (CAs) in the world. In September of this year, Google discovered that Symantec had issued a pre-certificate for google.com without its knowledge. Symantec's initial investigation of the incident determined that 23 test certificates had been issued for domain names belonging to Google, Opera and three other unnamed organizations. But Google quickly found additional unauthorized certificates that Symantec missed. Now, Google wants Symantec to disclose all certificates issued by its SSL business going forward.

16 of 95 comments (clear)

  1. Inside job? by campuscodi · · Score: 2

    Since the first time I read about this I thought it was an inside job. Symantec should just fess up and admit it. There's no shame in it.

  2. Symantec is a sales organization by vvaduva · · Score: 5, Insightful

    Symantec has stopped being a "security company" long ago and has become a massive sales organization focused on little more than quarterly results rather than quality products. They've ruined PGP...Verisign is next. Who knows what else they are working on destroying?

    1. Re:Symantec is a sales organization by vvaduva · · Score: 2

      A lot of the senior PGP developers are long gone. The product was split into several smaller pieces to help their bottom line, like e-mail encryption, disk encryption and their file encryption tools. Most people looking to buy the commercial version of PGP don't even know WHAT to buy simply because their marketing and sales lingo is so deliberately confusing.

  3. So the trusted middleman is no longer trusted? by Anonymous Coward · · Score: 5, Insightful

    Seriously, the whole point of a CA is that it's a *trusted* party... who trusts them these days? How can they still claim a piece of this business pie???

    1. Re:So the trusted middleman is no longer trusted? by Coren22 · · Score: 2

      The problem is you need to be able to say OK to multiple different certs per domain due to load/site balancers.

      Actually, no you don't. In a situation like that, you should be using a SAN (Subject Alternative Name) certificate with all the names you intend to use, or just the single name (like https://www.google.com/ you want the load balancer to answer. You also could use self signed behind the balancer, or no ssl at all, depending on settings.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  4. Re:How did Google discover this? by Todd+Knarr · · Score: 4, Informative

    No. It means every CA has to have a log of every EV certificate it's issued, and Chrome is checking any purported-EV certificate it sees against the issuing CA's list. If the certificate really is a valid EV certificate, it'll be in the list. I presume that if the certificate isn't a valid EV certificate (ie. it's not found in the list) and you've got the "Automatically report details of possible security incidents to Google" setting turned on (the default) it sends the error report back to Google for analysis. All of that's perfectly reasonable, and Google only sees information about certificates that're lying about their EV status.

  5. Wny did they need the certificates? by Todd+Knarr · · Score: 4, Insightful

    I'd wonder why they needed test certificates at all? For any testing of their systems and software they could use fake domains and organizations located under a domain they own and use just for that purpose (I used the .ttk TLD for that sort of thing for years, back before the gTLD flood). If they were testing issuing of certificates to specific organizations, there wouldn't be any need for them to ever get to servers. I can think of no good reason Symantec would need to have certificates issued to Google, and several bad reasons why an antivirus product would want a certificate that'd be accepted as a genuine certificate for a Web site.

    1. Re:Wny did they need the certificates? by athmanb · · Score: 2

      There are reasons for creating fake certificates, like when you want to sniff your own HTTPS traffic to aid with web debugging. But what Symantec never should've done is use their proper CA for that. They should've used an internal CA that their own computers trust but nobody outside knows about, like any company does that can't just walk across the office and get a "real" certificate from Frank.

  6. Re:Self Signed by Anonymous Coward · · Score: 3, Insightful

    If you are running a utiliy like Convergence or Perspectives to monitor certificates, I'll buy your solution. Otherwise, you're just setting yourself up for a MITM attack.

  7. Certs for NSA to spy on google by ealbers · · Score: 3, Insightful

    The certificates were used for man in the middle attacks, to decrypt google stuff before it got to them by the NSA.

  8. What is a pre-certificate? by LordKronos · · Score: 3, Insightful

    Sorry, but I have no clue what a pre-certificate is. Google search doesn't seem to help me either.

    1. Re:What is a pre-certificate? by Zeinfeld · · Score: 3, Informative

      A pre-certificate is created for use in the Certificate Transparency system. Introducing pre-certificates allows the CT log proof to be included in the certificate presented to an SSL/TLS server.

      The CT system generates a proof that a pre-certificate has been enrolled in it. The proof is then added to the pre-certificate as an extension and the whole thing signed with the production key to make the actual certificate.

      If the CT system logged the actual certificate, the proof of enrollment would only be available after the certificate had been created.

      --
      Looking for an Information Security student project suggestion?
      Try http://dotcrimeManifesto.com/
  9. Re:better option...forget Symantec by Coren22 · · Score: 2

    Who would you recommend instead? Thawt? GoDaddy? Is there anyone that can be trusted in this industry anymore?

    --
    APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  10. Re:Self Signed by squiggleslash · · Score: 2

    Because a so-called "self signed" certificate (that is, one that is lacking a signature from a CA) is one nobody you've programmed your browser to trust stands behind.

    That's the only difference between certificates that give you warnings, and certificates that don't. If I go to www.bankofsquiggleslash.com, I'd kinda like to know that the certificate is likely to be genuine without having to phone them up and ask for a MD5Sum. And, not surprisingly, the bank would also like me to know that, as they wouldn't be able to field all the calls otherwise.

    --
    You are not alone. This is not normal. None of this is normal.
  11. Re:Self Signed by cheater512 · · Score: 2

    DANE (https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) would make self signed certificates seamless and virtually flawless.

  12. Re:Self Signed by AK+Marc · · Score: 2

    Well, the discussion was between central CAs and self-signing.

    What do you see the choices as?

    --
    Learn to love Alaska