alphaspirit - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Google slams Symantec over Certificate Transparency trouble

Google demands Certificate Transparency for all Symantec-issued certificates in wake of last month's escalating disclosures about fake "testing" certificates.

After last month's discovery that Symantec improperly issued Extended Validation certificates for domains they did not own -- including two Google domains -- Google has taken stern action against the security vendor.

Specifically, Google will  require that Symantec undergo third-party audits and that Symantec's certificate authority (CA) unit support Certificate Transparency for all certificates they issue -- not just extended validation certificates -- starting June 1, 2016, according to a blog post by Ryan Sleevi, software engineer at Google.

Initial reports were that the improperly issued certificates covered domains owned by Google, Opera, and three other unnamed organizations. But after Symantec published its incident report early this month, Google was "still able to find several more questionable certificates using only the Certificate Transparency logs and a few minutes of work."

Symantec updated its incident report on Oct. 12, stating that they had discovered an additional 164 test certificates were inappropriately issued across 76 domains, with an additional 2,458 test certificates issued for unregistered domains.

Symantec updated their report once again the day after Google published their new requests for action, clarifying that "many records included on these lists were, in fact, properly issued certificates," including certificates issued for Symantec-owned domains, certificates issued with authorization of the domain owners and "certificates that were otherwise issued in accordance with the CA/Browser Forum Extended Validation Guidelines or Baseline Requirements."

Certificate Transparency framework

Google's Certificate Transparency project is a framework for monitoring and auditing SSL certificates. Symantec's misissued certificates were discovered through Certificate Transparency log entries of the extended validation certificates that had not been authorized by Google. Google has required all extended validation certificates be logged in the Certificate Transparency system since Jan. 1, 2015.

While modern browsers can detect forged or faked SSL certificates relatively easily, they cannot detect certificates issued mistakenly or maliciously through a compromised certificate authority. Certificate Transparency provides a way for domain owners to detect when a domain has been improperly issued, for example, for use in a phishing attack.

"I am thrilled that this discussion is taking place," said Trell Rohovit, CEO of authentication vendor Hydrant ID in Salt Lake City. "There have to be these independent, third-party checks and balances and systems, and this issue with Symantec has highlighted the fact that the first time we put one out there -- Google Transparency -- well guess what? We're starting to find things, and we can improve on those things and make it better."

The CA industry has done a stalwart job of securing the Internet, but it's time for them to put their big-boy pants on and become a real industry, with real checks and balances.
Trell RohovitCEO of Hydrant ID

According to Symantec, "there is no evidence that any harm was caused to any user or organization," and the improperly issued certificates were revoked and expired without ever having left Symantec's testing facility.

"I don't know if there were any damages or real implications, and I think Google is trying to get to the bottom of what took place at Symantec," Rohovit said of Symantec's misstep. "In every business, in every walk of life, mistakes happen, things happen. I think the real question here is for Symantec and for all certificate authorities is to really have a solid grasp on what your assurance levels and what your controls are in this industry."

Malicious breaches of certificate authorities have occurred before, including to Dutch CA DigiNotar and to N.J.-based CA Comodo, both in 2011. According to Rohovit, "the CA industry has done a stalwart job of securing the Internet, but it's time for them to put their big-boy pants on and become a real industry, with real checks and balances."

In other news:

  • According to a CompTIA report released this week, Cyber Secure: A Look at Employee Cybersecurity Habits in the Workplace, employees willingly expose their organizations with a variety of risky behaviors, for example, by connecting their laptop or mobile to public Wi-Fi networks (94%), or using their work mobile device for personal activities (63%). To determine the likelihood that an attacker could breach an air-gapped network, CompTIA even commissioned an unusual "social experiment" to see how easily malware could infect users via a found USB stick -- the presumed vector for the Stuxnet attack on Iran's nuclear infrastructure. The researchers discovered that 17% of consumers who found a USB stick in a public place would stick it in their computers. Meanwhile, Secunia reported their own research, revealing, among other things, that 5.5% of the applications found on PCs in the U.S. are so old they no longer receive security updates from the vendor; that 55% of U.S. PC users had Apple QuickTime 7 installed, of which only 39% had patched the program; and that 10.7% of U.S. users had an unpatched operating system.
  • This week, the Librarian of Congress released its triennial fair-use copyright exemptions to the Digital Millennium Copyright Act. The Electronic Frontier Foundation noted that the exemptions granted include "ripping DVDs and Blu-rays for making fair use remixes and analysis; preserving video games and running multiplayer servers after publishers have abandoned them; jailbreaking cell phones, tablets and other portable computing devices to run third-party software; and security research, and modification and repairs on cars."
  • HTTP Strict Transport Security (HSTS) is apparently not so strict or secure. Sniffly, from independent researcher Yan Zhu, is an attack that "abuses" HSTS into allowing websites to sniff users' browsing history. HSTS was designed to enable "websites to declare themselves accessible only via secure connections and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections."
  • Tor .onion domains are now officially separate from the "regular" Internet. With publication of RFC 7686, .onion domains are off limits to DNS, joining other reserved top-level domains ".example," ".invalid," ".localhost" and ".test." Submitting .onion domains to DNS would "leak" the information that the user is attempting to access Tor, and would defeat the purpose of Tor anonymity.
  • Diebold Inc. has announced a headless, PINless and cardless ATM, code-named Irving -- after Washington Irving's headless horseman character -- with no card scanner, keypad or display. Customers authenticate and interact with their accounts through their own smartphone, and authentication at the dispensing ATM is done "via Near Field Communication, Quick Response Code or biometrics."

Next Steps

Learn about private and public options for CA deployment with Exchange.

Understand the implications of moving public key infrastructure to the cloud.

Find out more about public key infrastructure.

Dig Deeper on PKI and digital certificates