Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday January 22 2017, @05:18PM   Printer-friendly
from the what's-a-few-more-at-this-point dept.

Arthur T Knackerbracket has found the following story:

A security researcher has unearthed evidence showing that three browser-trusted certificate authorities (CAs) owned and operated by Symantec improperly issued more than 100 unvalidated transport layer security certificates. In some cases, those certificates made it possible to spoof HTTPS-protected websites.

One of the most fundamental requirements Google and other major browser developers impose on CAs is that they issue certificates only to people who verify the rightful control of an affected domain name or company name. On multiple occasions last year and earlier this month, the Symantec-owned CAs issued 108 credentials that violated these strict industry guidelines, according to research published Thursday by Andrew Ayer, a security researcher and founder of a CA reseller known as SSLMate. These guidelines were put in place to ensure the integrity of the entire encrypted Web. Nine of the certificates were issued without the permission or knowledge of the affected domain owners. The remaining 99 certificates were issued without proper validation of the company information in the certificate.

Even when CA-issued certificates are discovered as fraudulent and revoked, they can still be used to force browsers to verify an impostor site. The difficulty browsers have in blacklisting revoked certificates in real-time is precisely why industry rules strictly control the issuance of such credentials. There's no indication that the unauthorized certificates were ever used in the wild, but there's also no way to rule out that possibility, however remote it is.

[...] "Symantec has learned of a possible situation regarding certificate mis-issuance involving Symantec and other certificate authorities. We are currently gathering the facts about this situation and will provide an update once we have completed our investigation and verified information."

This is the second major violation of the so-called baseline requirements over the past four months.

-- submitted from IRC


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by nitehawk214 on Sunday January 22 2017, @10:42PM

    by nitehawk214 (1304) on Sunday January 22 2017, @10:42PM (#457464)

    Issuing certs for test.com and example.com is a pretty big fucking mistake and indicates there is no verification at all at Symmantec.

    --
    "Don't you ever miss the days when you used to be nostalgic?" -Loiosh
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2