Symantec voluntarily issued a certificate for google.com and www.google.com
The incident with the release of the certificate for the domains google.com and www.google.com as the certification center of the company Symantec remained unnoticed on Habré. This was reported in the blog "corporation good."
The certificate was issued on September 14 at about 7:20 pm (GMT) by the Thawte certification center (owned by Symantec) without permission or request from Google. And not a simple certificate, but Extended Validation (EV). Thus, this is the first recorded case of an illegal issuance of an EV certificate.
The release of the certificate, according to Symantec, was the result of internal testing. Validity of the issued certificate is 1 day. However, Google has already included it in the list of withdrawals for its Chrome browser. In addition, Google sees no reason to believe that users were at risk as a result of this incident.
It is also noteworthy that the certificate was discovered using a relatively new mechanism - Certificate Transparency. This technology was specifically designed so that any domain owner could find out which certificates were issued for his domain and, accordingly, detect fraudulent ones. Thanks to Certificate Transparency, information about all certificates issued by a certification center is placed in an open log. By monitoring this log, you can discover the certificates issued for your domain.
')
The case described is the first unauthorized release of a certificate using Certificate Transparency.
UPD1. Symantec comment ( from here ).
UPD2. In the same comment, Symantec states that employees who violated policies and committed the incident were fired.
The certificate was issued on September 14 at about 7:20 pm (GMT) by the Thawte certification center (owned by Symantec) without permission or request from Google. And not a simple certificate, but Extended Validation (EV). Thus, this is the first recorded case of an illegal issuance of an EV certificate.
The release of the certificate, according to Symantec, was the result of internal testing. Validity of the issued certificate is 1 day. However, Google has already included it in the list of withdrawals for its Chrome browser. In addition, Google sees no reason to believe that users were at risk as a result of this incident.
It is also noteworthy that the certificate was discovered using a relatively new mechanism - Certificate Transparency. This technology was specifically designed so that any domain owner could find out which certificates were issued for his domain and, accordingly, detect fraudulent ones. Thanks to Certificate Transparency, information about all certificates issued by a certification center is placed in an open log. By monitoring this log, you can discover the certificates issued for your domain.
')
The case described is the first unauthorized release of a certificate using Certificate Transparency.
UPD1. Symantec comment ( from here ).
We learned on Wednesday that a small number of test certificates were incorrectly issued for internal use during testing.
All of these test certificates and keys were under our control all the time and were immediately withdrawn when we learned about the problem. There was no impact on any domains and no danger to the Internet.
UPD2. In the same comment, Symantec states that employees who violated policies and committed the incident were fired.
Source: https://habr.com/ru/post/267583/
All Articles