Certificate Transparency may be good for the internet, but it hasn't been kind to Symantec's certificate authority...
Having arguably learned nothing after being sanctioned by Google in late 2015 for improperly issuing certificates, Symantec was discovered again to be in violation of one of the key rules of the certificate authority club: Don't issue certificates for testing.
"I found 108 bad certificates in this incident," Andrew Ayer, founder of SSLMate, an SSL certificate management service based in Orinda, Calif., told SearchSecurity by direct message. "Nine of them contained at least one domain name that was not validated (covering 15 distinct domains in total). The other 99 contained a company name that was not validated."
Ayer wrote that the certificates in question -- issued between July 14, 2016, and Jan. 18, 2017 -- were likely improperly issued for several reasons, including "the subject [distinguished names] contain clearly bogus values," as well as the large number of certificates issued with attributes containing the word test.
Although the certificates with unvalidated domain names had all been revoked, Ayer said some of the certificates with unvalidated company names had not yet been revoked when he discovered them.
The unvalidated domain names for which certificates were improperly issued include example.com, a reserved domain that should never be assigned or routed, as well as domains test.com, test11.com, and test1.com through test9.com.
"The listed Symantec certificates were issued by one of our WebTrust audited partners. We have reduced this partner's privileges to restrict further issuance while we review this matter," wrote Steve Medin, PKI policy manager at Symantec Corp., in a response to Ayer's report. "We revoked all reported certificates which were still valid that had not previously been revoked within the 24-hour [CA/Browser Forum] guideline."
The CA/Browser Forum is an industry consortium promoting the use of digital certificates, composed of certificate authorities and software vendors; its guidelines permit a certificate authority 24 hours to revoke improperly issued certificates from the time the CA becomes aware of them.
Medin noted that these certificates each had the organization attribute set to "test." A Symantec spokesperson told SearchSecurity that Symantec is "still investigating the situation, so it is premature to speculate until we have more facts."
"I am unimpressed by Symantec's response so far," Ayer said. "They're trying to deflect responsibility by saying a partner messed up, not them. However, they should not be allowing partners to perform domain control validation, which is one of the most security-critical things a CA does. If a CA outsources domain control validation, they outsource their reputation, and this incident reflects just as poorly on Symantec as if they had messed up the validation themselves."
Symantec is already "on probation" for issuing certificates improperly in September 2015, when it was first caught by Google using the Certificate Transparency log. Google imposed sanctions on Symantec as a result of that incident, including mandatory use of Certificate Transparency for all certificates being issued, as well as third-party audits of their operation.
Starting in October, Google is making Certificate Transparency mandatory for all publicly trusted website certificates in order to be considered trusted by Google Chrome.
Find out more about how Google's Certificate Transparency program can prevent certificate abuse.
Learn about what's going on with certificate revocations.
Read about what happened to certificate authority WoSign after it violated CA guidelines.