The Case of the Symantec’s Mysterious Digital Certificates

Updated on June 21, 2016

On Friday September 18, 2015 both Symantec and Google announced an incident with digital certificates used to secure web sites in browsers.  In Chrome a secure connection is indicated by the green lock next to the URL in the browser.  Symantec noted in it’s official post that a “small number of test certificates were inappropriately issued” for three domains during testing.  No mention of the domain names were provided.  The company explains that the certificates were issued outside of company policy by employees for testing.  When the company learned about the policy violation, the employees were terminated, and the certificates were revoked.

In a separate blog post by Google on the same day, we learn the domains in question were google.com and www.google.com.  There is no mention of the third domain.  We also learn the certificates were Extended Validation(EV) type digital certificates.  EV certificates are special since they convey the highest level of trust in a users web browsing experience.  Google notes that the certificates were, “…recorded in both Google-operated and DigiCert-operated [certificate transparency] logs” on Monday September 14, 2015 at 19:20 GMT.  Symantec maintains, “…certificates and keys were always within our control…”  It’s difficult to know what Symantec means by control.  Clearly Symantec’s information systems did not provide adequate security controls to enforce it’s own corporate policies when issuing EV digital certificates.  Symantec reassures the public this time they will, “…place additional processes and technical controls to eliminate the possibility of human error.”  Symantec provides no details about processes and controls leading to the incident or how their new improvements will address security concerns moving forward.  No dumps of the certificates were provided, no digital fingerprints, etc.  Readers cannot verify or check any revocation information to ensure certificates have been properly black listed.  The article provides no verifiable facts for the public.

Symantec refers to the Google digital certificates as “test” certificates.  Google, calls the same certificates, “pre-certificate was neither requested nor authorized by Google.”  In other words, these are EV digital certificates generated on behalf of Google by Symantec, for domains owned by Google, without Google’s permission and used for unauthorized testing.  Isn’t a certificate that’s not requested or authorized by the subject for a domain owned by the subject also known as a – forged certificate?  So what is the difference between a “test” certificate, a “pre-certificate”, and a forged certificate?  I’m not sure.  Certainly the message to the public is softened.  The best course of action for such a serious breach of confidence is a complete disclosure of the event.  Symantec should provide a narrative, a timeline, and complete set of facts so the public verify all statements made independently.  Unfortunately there is no public evidence to support any statements made by Symantec about how they used Google’s certificates.  Trust but verify is one of the basic tenants of security.  In this case we can only trust Symantec but not verify.

The weakness with digital certificates is that the system is predicated largely based upon trust.  CA’s are free to issue certificates for any domain.  For example, if Google normally works with Thawte (a Symantec brand) for issuing certificates for their domains, Verisign or any other CA, can issue a certificate for Google as well.  Nothing prevents other CA’s with roots within Chrome from issuing a certificate for a Google domain or any other domain.  Google notes they developed a Certificate Transparency(CT) measure to address these concerns.  The CT extensions and log servers are new to me so I need to read up on them.  I don’t see a lot of good tools to dump out CT logs.  I need to investigate CT, CT logs, and related tools further.  Maybe I should consider adding CT support to my DeepViolet pet project.  CT has the potential to spot problems during certificate issuance whereas Chrome Certificate Pinning can spot certificate problems at runtime, both CT and pinning work together.  The good news, in spite of the weaknesses, forged certificates are fairly rare in the public.

Additional Resources
No root for you!  Google slams door on Symantec certs
Fuming Google tears Symantec a new one over rogue SSL certs
Proactive measures in digital certificate security

Image: Open Clipart, https://openclipart.org/detail/213115/blindfolded-woman-arrows

Author: milton

For bio see, https://www.securitycurmudgeon.com/about/