Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/24/2017
03:15 PM
Dawn Kawamoto
Dawn Kawamoto
Quick Hits
50%
50%

Google Slams Symantec for 'Failures' in SSL/TLS Certificate Process

Google Chrome engineers railed on Symantec for allegedly issuing thousands of security certificates that had not been properly validated.

Google Chrome engineers this week called out Symantec for failing to properly validate SSL/TLS digital certificates it has issued.

In a scathing blog post, Google Chrome engineers said that since Jan. 19 they have been investigating a "series of failures by Symantec Corporation to properly validate certificates" and that Google's investigation into 127 Symantec-issued certificates ballooned into at least 30,000.

Symantec fired back in a statement, saying "Google's statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading."

According to Google Chrome's Root Certificate Policy, root certificate authorities are expected to ensure that server certificates receive domain control validation, frequently audit logs to monitor for any evidence of unauthorized certificate issuance, and guard their infrastructure against the issuance of fraudulent certificates.

"On the basis of the details publicly provided by Symantec, we do not believe that they have properly upheld these principles, and as such, have created significant risk for Google Chrome users," Google said in its post.

Google plans to reduce the validity period of a newly released Symantec-issued certificate to nine months or less, and called for Symantec to gradually revalidate and replace its currently trusted certificates on various Chrome releases. In addition, Google said it intends to remove the recognized Extended Validation status for at least one year on Symantec-issued digital certificates.

These changes will result in compatibility issues, Google warned, which will likely cause problems for users and website operators. Site operators will be forced to use certificates from other companies that have authority to issue certificates and users, as a result, will face a "substantial" number of errors until operators make the switch to other certificate authorities.  

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2005-0394
PUBLISHED: 2021-06-18
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2007-3733
PUBLISHED: 2021-06-18
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2021-21997
PUBLISHED: 2021-06-18
VMware Tools for Windows (11.x.y prior to 11.3.0) contains a denial-of-service vulnerability in the VM3DMP driver. A malicious actor with local user privileges in the Windows guest operating system, where VMware Tools is installed, can trigger a PANIC in the VM3DMP driver leading to a denial-of-serv...
CVE-2021-26834
PUBLISHED: 2021-06-18
A cross-site scripting (XSS) vulnerability exists in Znote 0.5.2. An attacker can insert payloads, and the code execution will happen immediately on markdown view mode.
CVE-2021-26835
PUBLISHED: 2021-06-18
No filtering of cross-site scripting (XSS) payloads in the markdown-editor in Zettlr 1.8.7 allows attackers to perform remote code execution via a crafted file.