De acordo com o site IT Word, o Google não está contente com os problemas revelados pela Symantec em certificar incorretamente vários domínios e enviou um aviso a Symantec
Symantec revelou, há algum tempo, que tinha problemas com os certificados de segurança de vários domínios web. O Google convocou a Symantec para explicar sobre os certificados de segurança falsos que foram validados como verdadeiros.
A Symantec afirma que teve problemas com “um pequeno número” de certificados por engano e que revogou os certificados antes de notificar quem foi afetado.
Após notificação do Google, a Symantec publicou um relatório em resposta e revelou que 23 certificados de teste tinham sido emitidos sem o conhecimento do proprietário do domínio que abrange cinco organizações, incluindo Google e Opera. No entanto, ainda foram capazes de encontrar vários certificados mais questionáveis usando apenas os logs de Certificado de Transparência.
A Symantec realizou outra auditoria e, em 12 de outubro, anunciaram que tinham encontrado um adicional de 164 certificados mais de 76 domínios e 2.458 certificados emitidos para domínios que nunca foram registrados.
A partir de 01 de junho de 2016, todos os certificados emitidos Symantec serão obrigados a apoiar Certificado de Transparência e após esta data, os certificados emitidos pela Symantec que não estejam em conformidade com a política Chromium Certificate Transparency terão problemas quando utilizados em produtos do Google.
A Transparência de Certificados SSL é bancada pelo Google e tem uma arquitetura aberta, e a Reputação de certificados pela Microsoft com uma arquitetura fechada. Tentam resolver o mesmo problema através de mecanismos distintos, mas funcionalmente similares. Entenda mais sobre Transparência de Certificados SSL no artigo escrito por Sergio Leal – Transparência e reputação no SSL e seus vícios de design.
Esse é mais um movimento do Google em que privilegia sites seguros entre os que estão listados nas pesquisas do seu motor de busca.
Leia a matéria íntegra
Google threatens action against Symantec-issued certificates following botched investigation
Symantec’s investigation into a case of internal testing gone wrong failed to find a large number of certificates issued without authorization
Google wants Symantec to disclose all certificates issued by its SSL business going forward, after what Google considers a botched investigation into how Symantec employees issued SSL certificates for domain names that the company did not own.
The browser maker also wants the security firm to publish a detailed analysis of how the incident was investigated.
Through its acquisition of Verisign’s authentication business unit in 2010, Symantec became one of the largest certificate authorities (CAs) in the world. Such organizations are trusted by browsers and operating systems to issue digital certificates to domain owners which are then used to encrypt online communications.
In September, Google discovered that Symantec had issued a pre-certificate for google.com without its knowledge. Even more surprising was that this certificate was an Extended Validation (EV) one, and therefore was supposed to require extensive verification of the requesting entity’s identity and ownership of the domain.
Google discovered the incident because, as part of its Chrome browser policies, it requires all CAs to disclose the EV certificates they issue in a public audit log as part of a new protocol called Certificate Transparency (CT).
Following the incident, Symantec determined that the certificates in question were issued during product testing and never left the organization. It also fired several employees who failed to follow internal policies.
The company’s initial investigation determined that 23 test certificates had been issued for domain names belonging to Google, Opera and three other unnamed organizations.
However, with only “a few minutes of work” Google was able to find additional unauthorized certificates that Symantec missed, calling into question the results of the company’s internal audit.
In response, Symantec re-opened the investigation and uncovered an additional 164 test certificates that it issued for 76 domains it didn’t own and 2,458 certificates issued for domains that hadn’t been registered.
Google is now calling for Symantec to publish a detailed analysis of its failure to detect all certificates during the initial audit and wants the company to explain the root causes for each violation of existing industry policies.
The browser maker also wants Symantec to report all the certificates it issues, not just the EV ones, to the CT log in the future.
Beginning with Jun. 1, 2016, Google Chrome may start to display warnings for Symantec-issued certificates that don’t support CT, Google said in a blog post Wednesday.
According to its own report on the incident, Symantec already plans to implement CT for all of its certificates until the end of this year.
“While there is no evidence that any harm was caused to any user or organization, this type of product testing was not consistent with the policies and standards we are committed to uphold,” a Symantec representative said in an emailed statement Thursday. “We confirmed that these test certificates have all been revoked or have expired, and worked directly with the browser community to have them blacklisted.”
The company has already put additional tools, policies and procedures in place to prevent similar incidents from occurring in the future and has engaged a third-party to evaluate their effectiveness, the representative said.
However, Google is not ready to take Symantec’s word for it. It wants the company to undergo a third-party security audit in order to verify its claims that no private keys associated with the test certificates were exposed to Symantec employees, that those employees could not generate certificates with private keys that they controlled and that Symantec’s audit logs were reasonably protected against tampering.
