Google has laid down the law when it comes to Symantec and how the company handles certificates -- be transparent or face the consequences.
Google is evidently not very pleased about security firm Symantec's recent performance when it comes to issuing secure Web certificates and has outlined a list of demands to prevent the same mistakes from happening again.
In September, Symantec fired a number of employees following glaring mistakes in issuing transport layer security (TLS) certificates. The company said "employee error" caused cryptographic certificates to be issued online without the consent of either Google or Symantec, allowing attackers to impersonate Google pages protected by HTTPS
As you can imagine with such a prominent online service provider, this kind of security failure is not a small mistake you can brush under the carpet.
If these certificates were allowed to go out undetected into the wild, cyberattackers could have a field day impersonating legitimate domains. This, in turn, places online users at risk of surveillance, data theft and session hijacking -- all the while leaving the responsibility at Google's door.
The Thawte-branded Extended Validation (EV) pre-certificates were for the google.com and www.google.com domains. They were revoked immediately when Symantec noticed the problem, and as the pre-certificate was only active for one day, it is not believed the security of users were placed at risk.
However, a full report into the issue revealed 23 more test certificates had been issued without permission, covering not only Google, but Opera and three other undisclosed parties -- before an additional 164 certificates over 76 domains and 2,458 certificates issued for domains which were never registered were found.
"These test certificates never posed a risk to anyone or any organization, as the certificates never left Symantec's secure test labs or the QA test machine, and they were never visible to any end user," Symantec says.
"Moreover, the test certificates were never used on the QA test machine. Finally, the private keys associated with the test certificates were all destroyed as part of the testing tool that was used to enroll for the test certificates."
Ryan Sleevi, a Google software engineer, said on Wednesday in a blog post Google's own investigation into the problem raised "several more questionable certificates" after only a few minutes of work.
The problem now is no longer a handful of test certificates being issued at the wrong time by a few employees. It is thousands of certificates which not only took several audits to discover but the possibility of placing millions of users at risk if such practices are allowed to continue -- and it seems Google's encounter with Symantec's former employees has left a mark.
The engineer says that to prevent this happening again, Google will now require all certificates issued by Symantec from 1 June 2016 to support Certificate Transparency -- or the Google Chrome browser may flag websites using the certificates as potentially unsafe, a scary enough warning to ward away users.
Under the policy, TLS credentials must be logged to prove a website is owned by a specific organization, such as Paypal or Apple, and so Symantec would have to log all this data rather than just those domains which use certificate extensions.
Sleevi says that "in this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner."
After this date, HTTPS websites using Symantec credentials may be laden with pages warning of potentially unsafe and unsecure content, or "other problems" when used in Google products. For Symantec, this could severely damage relationships with users -- but could prove to be a boon for rival firms.
Google has also requested that Symantec updates their report with a post-mortem of why the company did not detect the additional certificates Symantec found, details of the security firm's failures, why mistakes were allowed to happen, and what steps are going to be taken in the future to prevent a repeat performance.
The full list of demands are below:
Following the implementation of these corrective steps, we expect Symantec to undergo a Point-in-time Readiness Assessment and a third-party security audit. The point-in-time assessment will establish Symantec's conformance to each of these standards:
WebTrust Principles and Criteria for Certification Authorities
WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security
WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL
The third-party security audit must assess:
The veracity of Symantec's claims that at no time private keys were exposed to Symantec employees by the tool.
That Symantec employees could not use the tool in question to obtain certificates for which the employee controlled the private key.
That Symantec's audit logging mechanism is reasonably protected from modification, deletion, or tampering, as described in Section 5.4.4 of their CPS.
A Symantec spokesperson told ZDNet:
"In September, we were alerted that a small number of test certificates for Symantec's internal use had been mis-issued. We immediately began publicly investigating our full test certificate history and found others, most of which were for non-existent and unregistered domains. While there is no evidence that any harm was caused to any user or organization, this type of product testing was not consistent with the policies and standards we are committed to uphold.
We confirmed that these test certificates have all been revoked or have expired, and worked directly with the browser community to have them blacklisted. To prevent this type of testing from occurring in the future, we have already put additional tool, policy and process safeguards in place, and announced plans to begin Certificate Transparency logging of all certificates. We have also engaged an independent third-party to evaluate our approach, in addition to expanding the scope of our annual audit."