Reg comments10

Symantec carpeted over dodgy certificates, again

You had one job ... and it wasn't letting test certs escape into the wild and then revoking them

Symantec has confirmed that it's revoked another bunch of wrongly-issued certificates.

Andrew Ayer of certificate vendor and wrangler SSLMate went public with his discovery last week. The mis-issued certs were issued for example.com, and a bunch of variations of test.com (test1.com, test2.com and so on).

On Saturday, Symantec's Steve Medin replied: “The listed Symantec certificates were issued by one of our WebTrust audited partners. We have reduced this partner's privileges to restrict further issuance while we review this matter. We revoked all reported certificates which were still valid that had not previously been revoked within the 24 hour CA/B Forum guideline - these certificates each had "O=test". Our investigation is continuing.”

Medin said the company is still investigating what went wrong, adding that Symantec “will report our resolution, cause analysis, and corrective actions once complete”.

Security bods will be watching to see whether there's any other fallout from the latest blunder.

In 2015, Google blockaded certificates from a Symantec root, because it was not complying with the CA/Browser Forum's requirements.

At that time, Symantec hit back saying the certs were mostly used for internal testing, or were issued to a small handful of legacy customers.

Last year, Google brought the long-running question of certificate trust into sharp relief when it launched its Certificate Transparency site, letting the world see the whole list of certs it doesn't trust.

Chinese CA WoSign found itself in an unwelcome spotlight when it issued a cert for GitHub to university sysadmin Stephen Schrauger.

WoSign found itself sent to the naughty corner by Mozilla, Apple, and Google. That company had to promise a reorganisation to get itself back in the world's good graces. ®


Biting the hand that feeds IT © 1998–2017