Vulnerabilities / Threats

3/24/2017
03:15 PM
Dawn Kawamoto
Dawn Kawamoto
Quick Hits
50%
50%

Google Slams Symantec for 'Failures' in SSL/TLS Certificate Process

Google Chrome engineers railed on Symantec for allegedly issuing thousands of security certificates that had not been properly validated.

Google Chrome engineers this week called out Symantec for failing to properly validate SSL/TLS digital certificates it has issued.

In a scathing blog post, Google Chrome engineers said that since Jan. 19 they have been investigating a "series of failures by Symantec Corporation to properly validate certificates" and that Google's investigation into 127 Symantec-issued certificates ballooned into at least 30,000.

Symantec fired back in a statement, saying "Google's statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading."

According to Google Chrome's Root Certificate Policy, root certificate authorities are expected to ensure that server certificates receive domain control validation, frequently audit logs to monitor for any evidence of unauthorized certificate issuance, and guard their infrastructure against the issuance of fraudulent certificates.

"On the basis of the details publicly provided by Symantec, we do not believe that they have properly upheld these principles, and as such, have created significant risk for Google Chrome users," Google said in its post.

Google plans to reduce the validity period of a newly released Symantec-issued certificate to nine months or less, and called for Symantec to gradually revalidate and replace its currently trusted certificates on various Chrome releases. In addition, Google said it intends to remove the recognized Extended Validation status for at least one year on Symantec-issued digital certificates.

These changes will result in compatibility issues, Google warned, which will likely cause problems for users and website operators. Site operators will be forced to use certificates from other companies that have authority to issue certificates and users, as a result, will face a "substantial" number of errors until operators make the switch to other certificate authorities.  

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.