Symantec revokes faulty security certificates

The cybersecurity firm has once again been left red-faced after issuing insecure certificates.
Written by Charlie Osborne, Contributing Writer

Symantec has confirmed that the company has once again been forced to revoke a batch of faulty certificates.

Last week, SSLMate's Andrew Ayer publicly revealed the discovery of misissued Symantec certificates, which were issued for domains including example.com and a variety of test.com certificates, such as test1.com, test2.com, and test.com.

In an advisory, Ayer said that "with the exception of test4.com and test8.com, these domains are registered to different entities and appear to be wholly unrelated with one another in both ownership and operation," which suggested it would be "unlikely" the domain owners worked together to authorize the certificates, used to verify digital identities on the web and force domains to adhere to particular security standards.

According to the developer, Symantec issued the faulty test.com certificates in October and November last year.

On January 21, Symantec product manager Steve Medin acknowledged the problem, claiming that the listed Symantec certificates "were issued by one of our WebTrust audited partners," and as a consequence, the business partner's privileges to issue certificates have been revoked, pending an inquiry.

"We revoked all reported certificates which were still valid that had not previously been revoked within the 24 hour CA/B Forum guideline -- these certificates each had "O=test"," Medin said. "Our investigation is continuing."

See also: Symantec SSL certificates now free, reflecting true value

The Symantec executive also said that the company will work to discover what happened at WebTrust which resulted in the misissued certificates and will "report our resolution, cause analysis, and corrective actions once complete," as noted by The Register.

This is not the first time the antivirus firm has found itself in the firing line due to misissued security certificates. In 2015, Google revoked Chrome and Android trust for one of Symantec's root certificates which contained an RSA key size of 1,024 bits, a feature that no longer complies with the CA/Browser Forum's Baseline Requirements.

Google now runs a domain called Certificate Transparency that outlines which certificates, from which authorities, the company no longer trusts.

2017: Must-have laptops for business users

How often does malware get downloaded on your network?:

Editorial standards