Symantec has fired some employees after Google engineers noticed rogue SSL certificates issued in the web goliath's name.
Thawte, Symantec's certificate authority subsidiary, produced a small number of security certificates intended for internal testing.
Worryingly, in the wrong hands, these certificates could have been used by malicious systems to impersonate legit Google websites: they could have been used to intercept and decrypt passwords, login cookies, and other encrypted traffic destined for Google.
Fortunately, the certificates were quickly revoked. More controversially, the Symantec staff behind the SSL cert kerfuffle were fired, leading one security expert to suggest workers were taking the fall for a more systematic problem.
"The problem here, Symantec, is not your employees. It's the entire business model," said crypto-prof Matthew Green. "Also, pretty fantastic that Certificate Transparency actually caught the Symantec cert issuance. I bet they curse CT's name."
Symantec's side of the story can be found in a blog post here. Essentially, generating certificates perfect for eavesdropping on live, real websites is not a good look for a business built on illusion and trust.
The trust that it won't issue SSL certificates to the wrong people, and the illusion that its SSL certificates are like some sort of precious rare metal of the internet and thus worth their price tag. As demonstrated, Symantec can easily generate its customers' all-important SSL certificates whenever it likes, for little or no cost, and this lack of control is damaging for its image.
"A small number of test certificates were inappropriately issued internally for three domains during product testing," explained Symantec's Quentin Liu.
"All of these test certificates and keys were always within our control and were immediately revoked when we discovered the issue. There was no direct impact to any of the domains and never any danger to the internet.
"We discovered that a few outstanding employees, who had successfully undergone our stringent on-boarding and security trainings, failed to follow our policies.
"Despite their best intentions, this failure to follow policies has led to their termination after a thoughtful review process. Because you rely on us to protect the digital world, we hold ourselves to a 'no compromise' bar for such breaches. As a result, it was the only call we could make."
Kevin Bocek, VP of security strategy and threat intelligence at Venafi, a firm that protects digital keys and certificates, said that although cases of rogue certs are far from unprecedented, the Symantec-Thawte case involved "extended validation certificates," which are used to show the verified identity of a website's owner in green in browsers' URL bars.
"In this case, these were extended validation certificates that are supposed to be of the highest security," Bocek explained. "In fact, if these weren't extended validation certificates, and required to be in a Certificate Transparency log because of Google Chrome, then we might not know about this issue. It's one of the reasons why Certificate Reputation that goes beyond just Certificate Transparency to include hunting for possible malicious certificates on the internet is so important," he added.
The incident highlights a broader threat involving the whole CA eco-system, according to Bocek.
"Larger CAs like Symantec and their CA brands probably have great fraud programs and good teams, but how about the other 200 or more CAs that don't have the same level of security controls? Their certificates are trusted just like Symantec's. Cyber criminals who want certificates faster can easily get them from other CAs who do minimal fraud checks, have weak security controls, or fewer and less-equipped staff," he concluded. ®