New standards being implemented between the world’s largest Certificate Authority & browser
On September 18th, 2015, you may have heard that Symantec became aware of an incident that went against industry standards set by the Certificate Authority/Browser (CA/B) Forum, the governing body of SSL certificate security. Due to an employee oversight, certificates that were intended for testing purposes only were actually issued from publically-trusted roots. Unfortunately, these certificates were either for domains not owned by Symantec, or domains that were not registered. Luckily, these were for testing environments and identified before any damage could be done.
So what’s the big deal?>
Simply put, it was in violation of the industry standards which require validation from the owner of the domain before a certificate can be issued. Mis-issuance scenarios like this usually occur when a malicious user requests a certificate for a domain they do not technically control in order to use that certificate for phishing or other “blackhat” activities, in hopes that the issuing Certificate Authority (CA) mistakenly believes the request is valid.
In this specific situation, there was very little to no risk of malicious intent because the certificates, although publically trusted, never actually left Symantec’s control and were revoked immediately upon discovery. Nevertheless, this was an error, but if you ask us, it is the type of error that is ultimately good for the industry.
Here’s what happened: one of the mis-issued certificates happened to be for a domain owned by a little company known as Google. As the behemoth they are, Google or now known as Alphabet, happens to be a browser vendor as well, which means they are already very involved in the SSL industry and the CA/B Forum. They consistently work in tandem with Symantec to make the Internet a safer place day in and day out. In fact, both of their headquarters are across the street from each other in Mountain View, so they probably communicate with a string and tin can telephone sometimes. Anyway, through their coordination, they were able to find the full extent of the problem – which revealed that human error in a Symantec practice had occurred and resulted many mis-issued certificates in their testing environments.
Again, while these were violations of industry standards, they posed little to no threat at all, but rather helped identify a hole in a practice that needed to be rectified before any harm could ever be done. Since this happened to Symantec, the industry leader, it probably made all other Certificate Authorities look at their internal practices and tighten up as well. You may never hear of any modifications from them, but we would bet adjustments were quickly made, because if little mistakes can happen to a leader known for their top-notch security ways, it can happen to anyone.
After all, we are dealing with humans. In fact, just last month, Google itself was in the news for accidentally allowing someone else to purchase the most trafficked domain in the world: Google.com. Yes! Google.com was owned by someone other than Google and he even had access to webmaster tools, only for a short while, but it still may forever be on his resume or CV for life. Google quickly recognized and corrected the mistake, and we’re sure they learned a valuable lesson pretty rapidly. I’d imagine some adjustments were made to make Google practices and systems better than they were the day before.
Google’s Necessary Reaction
On October 28th, Google announced that they are requesting Symantec conform to some new requirements, in response to this incident. The major requirements are that Symantec must now participate in Certificate Transparency (CT) logging for all certificates that they issue, and that Symantec must complete new WebTrust and 3rd-party audits. Which is great for all!
Certificate Transparency is a modern program where information about publically-issued SSL certificates can be submitted, or logged, to independently operated servers. These logs are publically auditable by anyone. CAs, researchers, and other interested parties who want to be able to check the integrity and validity of publically-trusted certificates. This can be incredibly useful in potentially discovering incorrectly issued or formatted certificates. For instance, Microsoft could monitor the logs for any certificates containing their trademark names and quickly identify any that were issued without their permission and can resolve quickly.
Google said they now just simply want Symantec to log all their certificates starting on June 1st, 2016 (which also includes certificates issued by GeoTrust, Thawte, and RapidSSL). This will involve submitting the details to qualifying logs and including an “SCT” in the certificate itself, which tells browsers where the information was logged.
The new audits will be confirmation from an independent party that Symantec has fixed the cause of the issue, and is also performing their other CA requirements and responsibilities correctly.
Standing by our partner
While this may not be the brightest moment for Symantec, we at The SSL Store™ are extremely proud of our industry and the major players involved. This incident is a perfect demonstration of the health of the trusted Certificate Authority model! Despite Symantec’s size and power, Google did not shy away from taking the appropriate actions to rectify the situations. “Too big to fail” is not an issue here.
If Google had not taken any actions in response to this incident, we would be much more worried. That would be a sign that the various parties are afraid to invoke the checks and balances which keep this model working.
Having complete Certificate Transparency logging from the world’s largest CA will also be a huge step forward in 3rd-party accountability for our industry. The Certificate Transparency standard and program was developed by Google, where they have already made it mandatory to log all EV certificates in order to get proper UI treatment in Chrome. Most CAs have yet to completely expand logging to their OV and DV certificates, making Symantec the first amongst the industry leaders.
As Symantec said, it is not always easy being industry leaders. They are not the first CA to make a mistake, and they certainly won’t be the last. The CA trust model is an evolving and adapting entity, that has contingency plans and experience with these sorts of hiccups.
All in all, what we’re trying to say is that Symantec just learned a valuable lesson, where no harm was done and now the entire world is better off. On behalf of all people of the land: Thank you Google and Symantec, thank you!