ex-Symantec employees issued fake Google certificates
Something interesting happened last week as three Symantec employees are reportedly without jobs after issuing several fake security certificates which would enable a site to impersonate Google.
From the Google Online Security Blog:
On September 14, around 19:20 GMT, Symantec’s Thawte-branded CA issued an Extended Validation (EV) pre-certificate for the domains google.com and www.google.com. This pre-certificate was neither requested nor authorized by Google.
We discovered this issuance via Certificate Transparency logs, which Chrome has required for EV certificates starting January 1st of this year. The issuance of this pre-certificate was recorded in both Google-operated and DigiCert-operated logs.
During our ongoing discussions with Symantec we determined that the issuance occurred during a Symantec-internal testing process.
We have updated Chrome’s revocation metadata to include the public key of the misissued certificate. Additionally, the issued pre-certificate was valid only for one day.
Our primary consideration in these situations is always the security and privacy of our users; we currently do not have reason to believe they were at risk.
Symantec’s Thawte-branded certificate authority issued test certificates, which if they reached the hands of someone with malicious intent would allow a website to masquerade as a secure website coming from/owned by Google.
Symantec claims that the termination of the employees was due to a failure to follow policies rather than for malicious intent and that the test certificates and keys never left their hands.
That said, without malicious intent why were three people issuing test certificates for Google domains? Then again, maybe I’ve just been watching too much Mr. Robot.
According to Ars Technica Google has updated the Chrome browser to ignore those pre-certificates, which were only valid for one day. Hopefully they’ll just update Chrome to only accept Google certificates from Google rather than trusting third party certificate authorities.
Yet another reason to never trust anything that says it’s secure on the internet.