Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday January 22 2017, @05:18PM   Printer-friendly
from the what's-a-few-more-at-this-point dept.

Arthur T Knackerbracket has found the following story:

A security researcher has unearthed evidence showing that three browser-trusted certificate authorities (CAs) owned and operated by Symantec improperly issued more than 100 unvalidated transport layer security certificates. In some cases, those certificates made it possible to spoof HTTPS-protected websites.

One of the most fundamental requirements Google and other major browser developers impose on CAs is that they issue certificates only to people who verify the rightful control of an affected domain name or company name. On multiple occasions last year and earlier this month, the Symantec-owned CAs issued 108 credentials that violated these strict industry guidelines, according to research published Thursday by Andrew Ayer, a security researcher and founder of a CA reseller known as SSLMate. These guidelines were put in place to ensure the integrity of the entire encrypted Web. Nine of the certificates were issued without the permission or knowledge of the affected domain owners. The remaining 99 certificates were issued without proper validation of the company information in the certificate.

Even when CA-issued certificates are discovered as fraudulent and revoked, they can still be used to force browsers to verify an impostor site. The difficulty browsers have in blacklisting revoked certificates in real-time is precisely why industry rules strictly control the issuance of such credentials. There's no indication that the unauthorized certificates were ever used in the wild, but there's also no way to rule out that possibility, however remote it is.

[...] "Symantec has learned of a possible situation regarding certificate mis-issuance involving Symantec and other certificate authorities. We are currently gathering the facts about this situation and will provide an update once we have completed our investigation and verified information."

This is the second major violation of the so-called baseline requirements over the past four months.

-- submitted from IRC


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Interesting) by SparkyGSX on Sunday January 22 2017, @05:58PM

    by SparkyGSX (4041) on Sunday January 22 2017, @05:58PM (#457392)

    The solution seems quite evident to me: immediately and permanently blacklist the CA certificates of Symantec and all CA's operated by Symantec. It must be VERY clear to all other CA's that this will not be tolerated. They already got their second chance; there are not third or fourth chances!

    Well, maybe they should distrust any new certificates signed by those CA's, effective immediately, and blacklist all existing certificates two weeks from now, to give innocent domain owners a chance to get new certificates from another CA.

    If Mozilla, Google, Apple and Microsoft let them get away with this, it would pretty much take away the little trust that remains in the CA system. All CA's must understand that such behaviour will result in immediate termination of their business.

    --
    If you do what you did, you'll get what you got
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  

    Total Score:   2  
  • (Score: 3, Insightful) by zocalo on Sunday January 22 2017, @07:46PM

    by zocalo (302) on Sunday January 22 2017, @07:46PM (#457405)
    Not quite the best approach as that will harm a lot of customers through no fault of their own. Mozilla solution to the recent StartCom CA compromise of revoking the trust of certs issued after a given future date is much better as it gives Symantec the task of notifying their existing customers they will need to go elsewhere when they renew. Highly embarrassing for Symantec and punitive too since it puts them out of the CA business until they can prove they have upped their game. Obviously the same measures to prevent workarounds used for StartCom would need to be applied as well.
    --
    UNIX? They're not even circumcised! Savages!
    • (Score: 1) by SparkyGSX on Sunday January 22 2017, @08:04PM

      by SparkyGSX (4041) on Sunday January 22 2017, @08:04PM (#457408)

      That's what I said, don't trust any new certificates, allow a grace period for innocent customers to get new certificates, then revoke everything. The point of revoking everything is that they have proven to be untrustworthy in the past, and we may not know of the full extent of their fraud. Also, it means they can't try to sweep it under the rug, and must contact their customers and tell them to go elsewhere.

      However, I definitely do not believe in allowing them back in after they have "upped their game". CA's need to be trusted, they have proven to be untrustworthy, that's it. Take them down as a very clear example to others.

      --
      If you do what you did, you'll get what you got
      • (Score: 4, Insightful) by zocalo on Sunday January 22 2017, @09:04PM

        by zocalo (302) on Sunday January 22 2017, @09:04PM (#457430)
        You seemed quite clear on blacklisting the existing certs at some point - "revoke everything", which would catch out all the customers when that happened - including those that might have several years left to run on their contracts. Picking a date a few months off (needed to allow existing customers coming up on renewal to find an alternate CA), then de-trusting the Symantec root certs for certs issued after that date only - as happened with StartCom/WoSign - minimises the collateral damage to customers.<br><br>

        As for getting back into the CA business, getting re-certified isn't easy - you basically have to start over, with processes, audits and so on that are much stricter than they would have been when Symantec first went through the process. So much so, in fact, that WoSign has apparently decided to roll up their CA business entirely and will not be attempting to renew; even if they pulled it off, all their existing customers will have gone elsewhere and their reputation is in tatters, so they would essentially be starting over as a new company with a new brand and trying to break into the market from scratch. In Symantec's case, that reputation damage and possible rebranding would apply to *everything* they do, not just the CA - software, appliances, etc. - so it's not going to pleasant or cheap for them, even if they do only get a "time out".
        --
        UNIX? They're not even circumcised! Savages!
        • (Score: 0) by Anonymous Coward on Sunday January 22 2017, @09:48PM

          by Anonymous Coward on Sunday January 22 2017, @09:48PM (#457446)

          This is an important issue and we have to hope CAs are taking it seriously. We can't stop them from cutting corners or violating trust but we can make the punishment severe enough to match the offense. Symantec's root certs should be revoked, even if that means people (myself included) would have to pay to replace certs not yet expired. At a minimum, it would generate considerably more awareness as upset customers complained across the 'Net. More importantly, Symantec would take a real financial hit through customer loss, damaged reputation, and perhaps lawsuits. As it stands, the penalty is weak enough that they can chalk it up to the cost of doing business.

        • (Score: 3, Interesting) by NCommander on Monday January 23 2017, @12:06AM

          by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Monday January 23 2017, @12:06AM (#457480) Homepage Journal

          I regularly follow mozilla.dev.security.policy which is a defacto forum about CAs and SSL. Generally speaking, pulling out Symantec from the root store would have rather horrid effect on the internet as a whole whole. The vast majority of SSL certificates chain back to a small subset of companies. Often times, CAs frequently don't go into root stores directly for one reason or another; they're cross-signed and chain up to CA certificates already in the root store. As it can take years for a certificate to be added to root stores, this process allows existing browsers to use new roots without being directly updated. This practice is explicitly allowed by the baseline requires set by the CA/B as long as these sub-CAs still follow the same auditing requirements.

          For a well-known example, Lets Encrypt's CA certificates chain up through IdenTrust and were only recently added to Firefox. I don't think they have a direct chain of trust to Microsoft or Apple's root stores as of yet.

          The situation is also complicated by the fact that Symantec bought some of VeriSign's certificate business. According to some Google searches, in 2010 about 44% of all certificates chain through a VeriSign. I couldn't find more up-to-date numbers but I suspect they still have a significant portion of all WebPKI certificates. Furthermore, its extremely difficult in many situations to replace root CAs. In many cases, companies have technically constrained sub-CAs which allow them to issue their own certificates for domains they control, etc. These intermediate certificates ship with the signature from a symantec root, and updating root certificate storage is difficult to nightmarish at times. By removing them from a root store, you can hose a good part of the internet. This is why WoSign/StartCom weren't completely removed from the root store.

          Now personally, I feel like that at an absolute minimum, forcing Symantec to hold off issuing new certificates and requiring a secondary audit is extremely important from a WebPKI point, but removing them entirely is going to be far worse overall than not.

          --
          Still always moving
          • (Score: 3, Informative) by NCommander on Monday January 23 2017, @12:15AM

            by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Monday January 23 2017, @12:15AM (#457486) Homepage Journal

            Follow-up to this; I'm not saying one action or another should be taken until it's clear how these certificates were issued, and who issued them (aka, innocent until proven guilty). According to the thread, they were apparently issued by a sub-CA that chains to Symantec but isn't operated by them.

            --
            Still always moving
            • (Score: 2) by zocalo on Monday January 23 2017, @07:52AM

              by zocalo (302) on Monday January 23 2017, @07:52AM (#457567)
              Definitely should be a consultation period and chance to respond, just as there was with WoSign/StartCom. If true about the sub-CA, then its going to depend on the CA chain setup - can just that sub-CA's certs be trivially revoked/suspended, for instance? - although I think Symantec would still deserve some come-back for failure to properly control and audit their sub-CAs. Given they were under probation already, I think a zero tolerance policy and audit of all sub-CAs would be a reasonable course of action to take - trust applies to sub-CAs as well as the certs themselves.
              --
              UNIX? They're not even circumcised! Savages!