Sergey Nivens - Fotolia
Symantec staff improperly generated Extended Validation digital certificates for Google domains. The certificates were created for testing purposes, and neither Symantec nor Google believed users were put at risk, but the Symantec staffers still lost their jobs.
"These certificates did not leave Symantec's secure testing labs, and did not affect the security or privacy of any user or organization," said Noah Edwardsen, senior manager corporate communications at Symantec Corp., based in Mountain View, Calif.
Google discovered the improper certificates, including those for the google.com and www.google.com domains, when they were posted to the Certificate Transparency log.
As for the terminations, Edwardsen said, "As a leading certificate authority, we hold ourselves to the highest standards and this type of testing was a violation of our own internal policies."
In a blog post titled "A Tough Day as Leaders," Symantec officials Quentin Liu and Charlene Mike-Billstrom stated, "… we discovered that a few outstanding employees, who had successfully undergone our stringent on-boarding and security trainings, failed to follow our policies. Despite their best intentions, this failure to follow policies has led to their termination after a thoughtful review process."
Stephan Somogyi, security and privacy product manager at Google, and Adam Eijdenberg, Certificate Transparency product manager at Google, reported that, "On September 14, around 19:20 GMT, Symantec's Thawte-branded CA issued an Extended Validation (EV) pre-certificate for the domains google.com and www.google.com. This pre-certificate was neither requested nor authorized by Google."
When creating an Extended Validation digital certificate, Certification Authorities generate and send a "pre-certificate" to the Certificate Transparency log server, but Extended Validation certificates require thorough verification from the requesting entity. Organizations can monitor the log to ensure that any Extended Validation certificates are properly authorized. Validated certificates incorporate the pre-certificate with a signed certificate timestamp (SCT) value.
Google discovered the unauthorized certificate issuance through the Certificate Transparency logs. Google mandated the use of these logs for all Extended Validation certificates beginning Jan. 1, 2015.
"We have updated Chrome's revocation metadata to include the public key of the misissued certificate. Additionally, the issued pre-certificate was valid only for one day. Our primary consideration in these situations is always the security and privacy of our users; we currently do not have reason to believe they were at risk," wrote Somogyi and Eijdenberg.
Edwardsen echoed Google on the safety of the situation. "These test certificates were never released outside of Symantec's internal testing environment, and were never visible to any end user. Reports about one of these certificates being 'found in the wild' are inaccurate. Google observed information about a certificate because it was posted in their Certificate Transparency log, which we routinely contribute information to as standard practice," Edwardsen said.
According to Trell Rohovit, CEO of Hydrant ID in Salt Lake City, all of this proves that the process has proper checks and balances.
"Certificate transparency is working," Rohovit said. "Those certificates got posted to an independent log, through which Google … was aware, because they monitor those logs, that there was a certificate issued in their name that was not an approved certificate. So, that's a good thing: Certificate transparency is working."
Learn more about using digital certificates safely with mobile
Find out how the digital certificate landscape is changing with the latest version of TLS
Learn how the DigiNotar certification authority breach changed the way we view certificate authorities