SoylentNews is people
SoylentNews
from the what's-a-few-more-at-this-point dept.
Arthur T Knackerbracket has found the following story:
A security researcher has unearthed evidence showing that three browser-trusted certificate authorities (CAs) owned and operated by Symantec improperly issued more than 100 unvalidated transport layer security certificates. In some cases, those certificates made it possible to spoof HTTPS-protected websites.
One of the most fundamental requirements Google and other major browser developers impose on CAs is that they issue certificates only to people who verify the rightful control of an affected domain name or company name. On multiple occasions last year and earlier this month, the Symantec-owned CAs issued 108 credentials that violated these strict industry guidelines, according to research published Thursday by Andrew Ayer, a security researcher and founder of a CA reseller known as SSLMate. These guidelines were put in place to ensure the integrity of the entire encrypted Web. Nine of the certificates were issued without the permission or knowledge of the affected domain owners. The remaining 99 certificates were issued without proper validation of the company information in the certificate.
Even when CA-issued certificates are discovered as fraudulent and revoked, they can still be used to force browsers to verify an impostor site. The difficulty browsers have in blacklisting revoked certificates in real-time is precisely why industry rules strictly control the issuance of such credentials. There's no indication that the unauthorized certificates were ever used in the wild, but there's also no way to rule out that possibility, however remote it is.
[...] "Symantec has learned of a possible situation regarding certificate mis-issuance involving Symantec and other certificate authorities. We are currently gathering the facts about this situation and will provide an update once we have completed our investigation and verified information."
This is the second major violation of the so-called baseline requirements over the past four months.
-- submitted from IRC
(Score: 3, Interesting) by NCommander on Monday January 23 2017, @12:06AM
I regularly follow mozilla.dev.security.policy which is a defacto forum about CAs and SSL. Generally speaking, pulling out Symantec from the root store would have rather horrid effect on the internet as a whole whole. The vast majority of SSL certificates chain back to a small subset of companies. Often times, CAs frequently don't go into root stores directly for one reason or another; they're cross-signed and chain up to CA certificates already in the root store. As it can take years for a certificate to be added to root stores, this process allows existing browsers to use new roots without being directly updated. This practice is explicitly allowed by the baseline requires set by the CA/B as long as these sub-CAs still follow the same auditing requirements.
For a well-known example, Lets Encrypt's CA certificates chain up through IdenTrust and were only recently added to Firefox. I don't think they have a direct chain of trust to Microsoft or Apple's root stores as of yet.
The situation is also complicated by the fact that Symantec bought some of VeriSign's certificate business. According to some Google searches, in 2010 about 44% of all certificates chain through a VeriSign. I couldn't find more up-to-date numbers but I suspect they still have a significant portion of all WebPKI certificates. Furthermore, its extremely difficult in many situations to replace root CAs. In many cases, companies have technically constrained sub-CAs which allow them to issue their own certificates for domains they control, etc. These intermediate certificates ship with the signature from a symantec root, and updating root certificate storage is difficult to nightmarish at times. By removing them from a root store, you can hose a good part of the internet. This is why WoSign/StartCom weren't completely removed from the root store.
Now personally, I feel like that at an absolute minimum, forcing Symantec to hold off issuing new certificates and requiring a secondary audit is extremely important from a WebPKI point, but removing them entirely is going to be far worse overall than not.
Still always moving
(Score: 3, Informative) by NCommander on Monday January 23 2017, @12:15AM
Follow-up to this; I'm not saying one action or another should be taken until it's clear how these certificates were issued, and who issued them (aka, innocent until proven guilty). According to the thread, they were apparently issued by a sub-CA that chains to Symantec but isn't operated by them.
Still always moving
(Score: 2) by zocalo on Monday January 23 2017, @07:52AM
UNIX? They're not even circumcised! Savages!