Symantec slammed by Google over fake security certificates

31 Oct 2015

After Symantec reported fake security certificates having been issued behind its back to websites including Google without their knowledge, the search giant has the security firm to come clean on the whole fiasco.

A blogpost published by the Google Security team said after 1 June, 2016, any certificate issued by Symantec itself would be required to support Certificate Transparency guidelines as laid down by Google.

Google's blog post adds, ''After this date, certificates newly issued by Symantec that do not conform to the Chromium Certificate Transparency policy may result in interstitials or other problems when used in Google products.''

[Interstitials are advertisement that appears while a chosen website or page is downloading-ed].

While Symantec issued a report revealing, ''23 test certificates had been issued without the domain owner's knowledge covering five organisations, including Google and Opera,'' Google remained unconvinced.  According to the search giant, it had found ''more questionable certificates'' being issued by Symantec.

In a report dated October, Symantec found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered. According to Google their analysis showed that Symantec had no clue about these ''additional certificates.''

The online search giant has also told Symantec that it had to provide a detailed list of steps were being taken to fix the issue and a timelime for the fix. According to the Google blogpost they expected Symantec to go in for ''Point-in-time Readiness Assessment and a third-party security audit''.

The fake certificates, according to Google, made it possible for attackers to impersonate websites that could lead to data theft and other cybercrimes.

"It's obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency," wrote Ryan Sleevi, software engineer at Google in a blog post on Wednesday.

"In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner," he added.