Symantec employees mistakenly leak test SSL certificates

Sep 20, 2015 10:15 GMT  ·  By

Symantec was forced to fire 3 employees after Google's engineers found rogue SSL certificates issued in its name used in the wild.

SSL certificates are a technology through which browsers and Web service providers create a secure and authorized channel of communication.

They are used billions of times each day and have become a common practice in securing communications between users and banks, online shops, social networks, and about any website that wants to protect its users and their private data from hackers and privacy-intruding government agencies.

Responsible for issuing these certificates is a Certificate Authority (CA). There are numerous CAs around the world, all of which are recognized and trusted by browsers makers to issue certificates to authorized and trustworthy clients only.

One of those CAs is Symantec, a cyber-security vendor known primarily for its Norton antivirus engine.

Google's Certificate Transparency project was first to note the rouge SSL certs

This Friday, September 18, Google's engineers working for Certificate Transparency, a project that double checks for rogue SSL certificates used in the wild, has found a series of fake Google.com SSL certificates that were issued by Symantec. These rogue certificates were also observed by DigiCert's technicians in their logs as well.

What's worse is that these certificates were issued with an "extended validation" label, which means that Symantec had supposedly carried out extra checks on the client that requested the certificates to validate its real identity, as Boing Boing reports. This information was not officially confirmed by either Google or Symantec in their press releases.

Google has blacklisted the certificates in question. Since they were leaked only for a day, Google and Symantec don't believe they might have been used in real-world attacks.

If hackers had had more time, these rogue SSL certificates could have been used in MitM (man-in-the-middle) attacks, allowing malicious actors to intercept secure communications between users and Google-operated services, like Gmail, Google+, YouTube, and such.

Not the first time rogue SSL certificates are detected in the wild

This is not the first time that this has happened. In 2011, Dutch-based CA Diginotar was breached and hackers issued hundreds of fake certificates. Some of these SSL certificates (also issued in Google's name) were used by the Iranian government to spy on political dissidents.

The Diginotar incident was what convinced browser makers and certificate authorities around the world to create the Certificate Transparency project.

The same thing happened in December 2013, when ANSSI also mistakenly issued fake Google certificates, and at the end of March this year, when the CNNIC CA issued some unauthorized digital certificates for several Google domains. After the last incident, Mozilla and Google banned all CNNIC existing root and extended validation SSL certs.

Symantec has addressed the issue by firing the employees at fault

Investigating its recent incident, Symantec was quick to follow suite with Google's inquiries in this matter, fearing the ax above its head.

According to their official statement, the company says that these rogue certificates were issued for tests inside the company, and they were immediately revoked when Google notified them of the leak.

"We discovered that a few outstanding employees [...] failed to follow our policies," said Quentin Kiu of Symantec. "Despite their best intentions, this failure to follow policies has led to their termination after a thoughtful review process. [...] As much as we hate to lose valuable colleagues, we are the industry leader in online safety and security."