Fuming Google tears Symantec a new one over rogue SSL certs

We've got just the thing for you, Symantec ...


Google has read the riot act to Symantec, scolding the security biz for its slapdash handling of highly sensitive SSL certificates.

In September it emerged that Symantec's subsidiary Thawte generated a number of SSL certs for internal testing purposes.

One of these certificates masqueraded as a legit cert for Google.com, meaning it could be used to trick web browsers into thinking they had connected to Google's site when really the browser had connected to a potentially malicious server.

The Chocolate Factory discovered the rogue cert using its Certificate Transparency project, and it was furious: Google never gave Thawte permission to generate the certificates, and was irked by Symantec's sloppiness.

Thawte insisted the rogue certificates never at any point left the lab, and that no one outside the company had obtained copies of the SSL certs.

Alarmed that Thawte's engineers were playing around with highly sensitive and powerful certificates, Google demanded a full investigation. Symantec found 23 dodgy certs, fired some of the staff involved, and conducted what it said was a full review, but now it turns out the biz botched that too.

According to Google software engineer Ryan Sleevi, the internet goliath found several more certificates that weren't mentioned in Symantec's report, and demanded the firm look again. On October 12, Symantec said they had found that another 164 rogue certificates had been issued in 76 domains without permission, and 2,458 certificates were issued for domains that were never registered.

"It's obviously concerning that a certificate authority would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit," Sleevi said on Wednesday.

"Therefore, we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner."

If Symantec wants its certificates recognized by the Chrome web browser, Google has said the firm must update the original report with all the details and an explanation of what went wrong. This Symantec has now done (you can read it here), but the biz has more hoops to jump through if it wants Chrome to accept its certificates going forward.

Symantec will also need to give Google a detailed timeline for the process behind the creation of each certificate and a list of things it will do to make sure it doesn't happen again. Since this involves confidential information, Google won't be making that information public.

In addition, Symantec must hire a third-party security auditor to conduct a full audit and check that private keys have not been exposed and that auditing software works as specified. In addition, the auditors will ensure that Symantec is compliant in the following areas:

If Symantec bungles this second chance, come June 2016, Google Chrome and other Google apps will warn netizens not to trust any websites that use new Symantec-backed certificates.

This will encourage web developers to avoid using Symantec-issued SSL certs for their HTTPS-encrypted websites, and similar services, dealing a damaging blow to Symantec.

"While there is no evidence that any harm was caused to any user or organization, this type of product testing was not consistent with the policies and standards we are committed to uphold," Symantec told The Register in a statement.

"To prevent this type of testing from occurring in the future, we have already put additional tool, policy, and process safeguards in place, and announced plans to begin Certificate Transparency logging of all certificates. We have also engaged an independent third party to evaluate our approach, in addition to expanding the scope of our annual audit."

This may not be the end of the matter, however, since other groups are now reaching for their pitchforks. Firefox-maker Mozilla has examined Google's proposal, and is considering insisting that Symantec do the same for them; others may follow their example. ®

Broader topics


Other stories you might like

  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading
  • UK competition watchdog seeks to make mobile browsers, cloud gaming and payments more competitive
    Investigation could help end WebKit monoculture on iOS devices

    The United Kingdom's Competition and Markets Authority (CMA) on Friday said it intends to launch an investigation of Apple's and Google's market power with respect to mobile browsers and cloud gaming, and to take enforcement action against Google for its app store payment practices.

    "When it comes to how people use mobile phones, Apple and Google hold all the cards," said Andrea Coscelli, Chief Executive of the CMA, in a statement. "As good as many of their services and products are, their strong grip on mobile ecosystems allows them to shut out competitors, holding back the British tech sector and limiting choice."

    The decision to open a formal investigation follows the CMA's year-long study of the mobile ecosystem. The competition watchdog's findings have been published in a report that concludes Apple and Google have a duopoly that limits competition.

    Continue reading
  • Google offers $118m to settle gender discrimination lawsuit
    Don't even think about putting LaMDA on the compensation committee

    Google has promised to cough up $118 million to settle a years-long gender-discrimination class-action lawsuit that alleged the internet giant unfairly pays men more than women.

    The case, launched in 2017, was led by three women, Kelly Ellis, Holly Pease, and Kelli Wisuri, who filed a complaint alleging the search giant hires women in lower-paying positions compared to men despite them having the same qualifications. Female staff are also less likely to get promoted, it was claimed.

    Gender discrimination also exists within the same job tier, too, the complaint stated. Google was accused of paying women less than their male counterparts despite them doing the same work. The lawsuit was later upgraded to a class-action status when a fourth woman, Heidi Lamar, joined as a plaintiff. The class is said to cover more than 15,000 people.

    Continue reading
  • Google recasts Anthos with hitch to AWS Outposts
    If at first you don't succeed, change names and try again

    Google Cloud's Anthos on-prem platform is getting a new home under the search giant’s recently announced Google Distributed Cloud (GDC) portfolio, where it will live on as a software-based competitor to AWS Outposts and Microsoft Azure Stack.

    Introduced last fall, GDC enables customers to deploy managed servers and software in private datacenters and at communication service provider or on the edge.

    Its latest update sees Google reposition Anthos on-prem, introduced back in 2020, as the bring-your-own-server edition of GDC. Using the service, customers can extend Google Cloud-style management and services to applications running on-prem.

    Continue reading

Biting the hand that feeds IT © 1998–2022