Mozilla developers posted a summary of 14 separate "confirmed or suspected" issues involving Symantec certificate...
authorities in order to allow Symantec the opportunity to address them all publicly.
Mozilla's list of issues comes on the heels of Google calling out Symantec for improprieties connected to its certificate authority activities -- including distrusting Symantec certificates and requiring nearly all of them to be reissued -- and a defensive Symantec response to Google's proposed CA sanctions.
Symantec had initially responded to Google's announced sanctions by calling Google's actions "irresponsible," and referring to Google's statements about its issuance practices as "exaggerated and misleading."
A Mozilla developer assembled the list of issues concerning Symantec certificate authorities, including test certificate misissuance occurring between 2009 and 2015, issuance of SHA-1 certificates after those had been banned and issues related to the cross-signing of certificate authorities in the U.S. federal public key infrastructure (PKI).
"As we continue to consider how best to react to the most recent incident involving Symantec, and given that there is a question of whether it is part of a pattern of behavior, it seemed best to produce an issues list as we did with WoSign," Gervase Markham, software engineer at Mozilla, wrote in a posting to a Mozilla discussion forum. "This means Symantec has proper opportunity to respond to issues raised and those responses can be documented in one place and the clearest overall picture can be seen by the community."
Symantec did not respond to requests for comment from SearchSecurity.
"Google has correctly identified the things that have gone wrong, and appropriately assessed the severity of the problems. It is particularly concerning to me that Symantec discovered that one of their [registration authorities] was doing a terrible job and, while they demanded remediation, did nothing about existing certificates issued by that RA," Markham commented on last month's forum post announcing Google's intention to distrust Symantec certificates.
"The whole web of trust for HTTPS requires us to trust a few key players -- the root certificate authorities," said Jacob Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga. "I think Google very convincingly makes the case that Symantec is not worthy of that trust."
According to the Symantec issues list posted on the Mozilla wiki, the federal PKI is "an extremely complicated PKI," which "applied for inclusion in the Mozilla root store," but Mozilla deemed it "unlikely ever to be successful due to the difficulty of bringing the entire FPKI in line with Mozilla's policies."
Even so, Symantec has cross-signed two certificate authorities in the FPKI since February 2011, which technically makes Symantec responsible to Mozilla for the certificates issued in that part of the FPKI -- and failing to disclose its intermediate CA certificates, contrary to Mozilla's requirements at the time.
"I think one big part of the story is that they continued to issue SHA-1 certificates after the deadline. We now know that SHA-1 is a bigger deal, and with what we know now, it makes the past transgressions a bigger deal," Williams said. "The issue of cross-signing the federal bridge certificate is also huge."
Markham linked to the full list of Symantec certificate authority issues on a Mozilla wiki, in which all the recent issues with Symantec's CA activities were listed, as well as how its activities failed to comply with relevant standards -- in particular, with the standards set by the CA/Browser Forum Baseline Requirements.
While the improper issuance of SHA-1 certificates and tangled connections with the federal bridge PKI CAs are worrisome, they were not the only issues to raise ire among security professionals.
Williams, referring to an audit report for Symantec partner Certsuperior, for May 1, 2015, through April 30, 2016, called it "an example of where Symantec was signing off on sub-CAs that were a hot mess of network insecurity." The 10-page audit includes eight pages detailing areas where Certsuperior was out of compliance with the CA/Browser Forum standards.
"I don't think that Google can afford not to move forward with the sanctions," Williams said. "What we know now is that Symantec mishandled the trust placed in them for the operation of the CA. The only reason Symantec [certificates] won't be more quickly invalidated is that it would break the internet as we know it ... As for others following Google's lead, I think it's the only responsible thing to do."
Find out more about how Mozilla's deprecation of SHA-1 certificates affects enterprises
Learn more about whether enterprises should use Let's Encrypt certificates
Read about how certificate pinning can improve certificate authority security