Thursday, 29 October 2015

Google Punishes Symantec Because Tampering With SSL Certificates

Google has punished Symantec because the company has tampered with SSL certificates, which are just as important for the trust on the Internet. In September, Google discovered that Symantec wrongly an Extended Validation (EV) pre-certificate for and had spent.

This was done without Google had asked whether there had consented to do so. Besides security, Symantec also provides SSL certificates provided for identifying web sites and encrypting traffic between websites and visitors. To do this it has several brands, such as VeriSign, GeoTrust, Thawte and RapidSSL. For several years, Symantec is the largest player in the market for SSL certificates. Because of the improper issuance of the certificates, Symantec chose to several workers dismiss.

Also asked Google for a research report. The report (pdf) revealed that 23 test certificates from five organizations without their knowledge were issued, including for domains from Google and Opera. Google has discovered even more dubious certificates Symantec and asked for clarification. Symantec again carried out a research and found that there were a further 164 certificates issued for 76 domains, as well as 2458 certificates for domains that are never registered.


According to Google, it is worrying that a certification authority has so many problems and the magnitude could not even determine during the first investigation. Therefore, Google will stricter demands on the Symantec certificate. As of June 1, 2016 must support all of the security certificates Certificate Transparency. This is a proprietary technology that Google must address several structural flaws in the SSL certificate system. Certificates issued after this date and do not meet here can cause problems within Google products.

Furthermore, Google will ask the public research report on the incident will be expanded with an analysis of why the 164 additional certificates were not found in the first place and what was the cause of any failure. Furthermore, Google also wants a detailed report on the measures that Symantec will take to correct the errors found and to prevent future. Finally, the security company should also have a comprehensive audit carried out by a third party.

No comments:

Post a Comment