Google blasts Symantec over questionable digital certificates

Web giant Google has reached out to security software giant Symantec over mis-issued digital certificates for its own web domain, Google.com

On September 14th, Google issued an advisory, warning users of Chrome – and, by implication, Opera – of the error.

Symantec’s Thawte-branded CA [certificate authority] issued an Extended Validation (EV) pre-certificate for the domains google.com and www.google.com, but this pre-certificate was neither requested nor authorized by Google.

Google discovered this issuance via Certificate Transparency logs, which Chrome has required for EV certificates starting January 1st of this year. The issuance of this pre-certificate was recorded in both Google-operated and DigiCert-operated logs.

“During our ongoing discussions with Symantec we determined that the issuance occurred during a Symantec-internal testing process,” claimed Google.

The findings led to a number of Symantec employees to be fired for issuing the unauthorized certificates after Google went public with its findings.

However, Google software engineer Ryan Sleevi revealed that that won’t be the end of the matter.

He said that although Symantec acknowledged the error, Google was still able to find several more “questionable certificates” and, after an audit, Symantec admitted that it had found an additional “164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered“.

As a result, Google is planning to require that all certificates issued by Symantec be required to support Certificate Transparency.

[Computing]