In September, Google caught Symantec issuing a fake google.com cryptographic certificate that could have been used to seamlessly intercept encrypted Google.com traffic. Symantec is one of the participants in Certificate Transparency, through which all new certificates issued and seen in the wild are logged to append-only, cryptographically provable logs, which create irrefutable audit trails for any bogus certs issued/discovered.
As Google has dug deeper into Symantec’s certificate issuance, they’ve found many bogus certs, triggering an internal audit by Symantec that found literally thousands of “misissued” certificates. Google has announced that as of June 1 2016, it will no longer honor certificates from Symantec unless Symantec becomes a full participant in Certificate Transparency, on the basis that its sloppiness makes its certs intrinsically untrustworthy without the ability of third parties to have complete transparency into Symantec’s cert issuance.
They’ve also demanded a third-party audits of Symantec’s procedures, and detailed plans for remediating their security flaws.
It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner.
After this date, certificates newly issued by Symantec that do not conform to the Chromium Certificate Transparency policy may result in interstitials or other problems when used in Google products.
More immediately, we are requesting of Symantec that they further update their public incident report with:
A post-mortem analysis that details why they did not detect the additional certificates that we found.
Details of each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure.
We are also requesting that Symantec provide us with a detailed set of steps they will take to correct and prevent each of the identified failures, as well as a timeline for when they expect to complete such work. Symantec may consider this latter information to be confidential and so we are not requesting that this be made public.
Sustaining Digital Certificate Security
[Ryan Sleevi/Google Security Blog]