I have said many times that our current model of trusting a third party to assert your identity is stupid and prone to abuse. Well the owner of Verisign( Symantec) has been making master certs for powerful domains like google.com and others. This allows them to assert their network is actually Google instead of Google’s network being the real Google.
Google has read the riot act to Symantec, scolding the security biz for its slapdash handling of highly sensitive SSL certificates.
In September it emerged that Symantec’s subsidiary Thawte generated a number of SSL certs for internal testing purposes.
One of these certificates masqueraded as a legit cert for Google.com, meaning it could be used to trick web browsers into thinking they had connected to Google’s site when really the browser had connected to a potentially malicious server.
The Chocolate Factory discovered the rogue cert using its Certificate Transparency project, and it was furious: Google never gave Thawte permission to generate the certificates, and was irked by Symantec’s sloppiness.
Thawte insisted the rogue certificates never at any point left the lab, and that no one outside the company had obtained copies of the SSL certs.
So let’s see the issues in this paragraph. Symantec says none of the certificates escaped. This means that either they actually DID escape or these folks had google browsers installed on their internal INTERNET accessible machines and Google found the certificates that way. either way the certificates were available for release.
“It’s obviously concerning that a certificate authority would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit,” Sleevi said on Wednesday.
“Therefore, we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner.”
If Symantec wants its certificates recognized by the Chrome web browser, Google has said the firm must update the original report with all the details and an explanation of what went wrong. This Symantec has now done (you can read it here), but the biz has more hoops to jump through if it wants Chrome to accept its certificates going forward.
Symantec will also need to give Google a detailed timeline for the process behind the creation of each certificate and a list of things it will do to make sure it doesn’t happen again. Since this involves confidential information, Google won’t be making that information public.
In addition, Symantec must hire a third-party security auditor to conduct a full audit and check that private keys have not been exposed and that auditing software works as specified. In addition, the auditors will ensure that Symantec is compliant in the following areas:
- WebTrust Principles and Criteria for Certification Authorities
- WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security [PDF]
- WebTrust Principles and Criteria for Certification Authorities – Extended Validation [PDF]
If Symantec bungles this second chance, come June 2016, Google Chrome and other Google apps will warn netizens not to trust any websites that use new Symantec-backed certificates.
So Symantec has to jump through some hoops to make sure it has fixed its security or google will blacklist ALL of their certificates which is what SHOULD happen. Read the remaining bits as other browsers like Mozilla are upset and are thinking about also blacklisting Symantec if these issues continue.
The easiest way to fix this…use only self-signed certificates or use a new concept called certificate notaries as noted by Moxie Marlinspike.