Google has finally drawn the line Symantec must toe if it wants to retain the tech giants blessings. Never one to mince words, Google has issued Symantec with a clear ultimatum, stating that unless the firm maintains transparent standards while issuing security certificates, it will be branded as “unsafe”.
The move is being viewed as fallout from the September fiasco, where Symantec fired a bunch of employees who in a fit of rarely seen generosity, awarded transport layer security (TLS) certificates without — as is the norm — the consent of either Google or Symantec. Talk about employees taking the initiative, eh?
The importance of these certificates can be understood from the fact that, were they made readily available without any of the accompanying security checks, online attackers could easily pretend to be Google pages, which are usually under the protective umbra of HTTPS.
Consequences of such an issue of certificates would lead to a hackers joyride where they could easily run around stealing sensitive data — like your credit card details — putting people under surveillance, hijacking sessions, stealing passwords, in short, virtual chaos!
And in the unlikely scenario that something like this did happen, Google would have to shoulder most of the blame. Thus explaining the outburst aimed at Symantec.
In this case though, the discrepancies which occurred while issuing the Thawte-branded Extended Validation (EV) pre-certificates were noticed by Symantec pretty quickly, which instantly moved to take them down, making it unlikely that they could have been used to cause security related threats. All well and good. But, one thing led to another and a full enquiry into the matter was held which revealed 23 test certificates issued without permission and 2,458 certificates issued for non-registered domains.
However, Symantec maintains that these certificates were quite harmless.
These test certificates never posed a risk to anyone or any organization, as the certificates never left Symantec’s secure test labs or the QA test machine, and they were never visible to any end-user,
Moreover, the test certificates were never used on the QA test machine. Finally, the private keys associated with the test certificates were all destroyed as part of the testing tool that was used to enroll for the test certificates.
Google though, has other thoughts on the matter. As per a blog post by Ryan Sleevi, Software Engineer at Google,
However, we were still able to find several more questionable certificates using only the Certificate Transparency logs and a few minutes of work. We shared these results with other root store operators on October 6th, to allow them to independently assess and verify our research.
While Symantec may feel that no harm was done, the possibility is certainly there and considering the potential for harm that is present here, allowing such practices to continue would be an online disaster just waiting to happen. Google thinks so too and is putting up safeguards from minimizing the risk of such an event taking place in the future, starting with requiring Symantec certificates to support certificate transparency.
We are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner.
Failing which the chrome browser may flag the site as unsafe, which is usually enough for most to hit the back button.
Google has also requested Symantec to account for their failure in detecting the additional certificates discovered by Google and update its public incidence report with
Details of each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure.
Along with corrective steps (with an expected timeline for their application) that will be taken to prevent occurrences of this nature from ever happening again. After that, Symantec will be required to undergo a point-in-time assessment test to check out its adherence to,
- WebTrust Principles and Criteria for Certification Authorities
- WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security
- WebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL
Along with a third-party security audit to assess the various claims Symantec made in its report. Since Symantec may have been in damage control mode at the time of compilation of the report, Google is taking no chances and the audit will check:
- The veracity of Symantec’s claims that at no time private keys were exposed to Symantec employees by the tool.
- That Symantec employees could not use the tool in question to obtain certificates for which the employee controlled the private key.
- That Symantec’s audit logging mechanism is reasonably protected from modification, deletion, or tampering, as described in Section 5.4.4 of their CPS.
Phew! That seems like a long list and Symantec is probably going to have its hands full in the near future. Lets just hope that all these new measures are enough to prevent security threats of this nature.
This also goes to show that when it is the internet you are talking about, nothing and no-one is infallible.