Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday January 22 2017, @05:18PM   Printer-friendly
from the what's-a-few-more-at-this-point dept.

Arthur T Knackerbracket has found the following story:

A security researcher has unearthed evidence showing that three browser-trusted certificate authorities (CAs) owned and operated by Symantec improperly issued more than 100 unvalidated transport layer security certificates. In some cases, those certificates made it possible to spoof HTTPS-protected websites.

One of the most fundamental requirements Google and other major browser developers impose on CAs is that they issue certificates only to people who verify the rightful control of an affected domain name or company name. On multiple occasions last year and earlier this month, the Symantec-owned CAs issued 108 credentials that violated these strict industry guidelines, according to research published Thursday by Andrew Ayer, a security researcher and founder of a CA reseller known as SSLMate. These guidelines were put in place to ensure the integrity of the entire encrypted Web. Nine of the certificates were issued without the permission or knowledge of the affected domain owners. The remaining 99 certificates were issued without proper validation of the company information in the certificate.

Even when CA-issued certificates are discovered as fraudulent and revoked, they can still be used to force browsers to verify an impostor site. The difficulty browsers have in blacklisting revoked certificates in real-time is precisely why industry rules strictly control the issuance of such credentials. There's no indication that the unauthorized certificates were ever used in the wild, but there's also no way to rule out that possibility, however remote it is.

[...] "Symantec has learned of a possible situation regarding certificate mis-issuance involving Symantec and other certificate authorities. We are currently gathering the facts about this situation and will provide an update once we have completed our investigation and verified information."

This is the second major violation of the so-called baseline requirements over the past four months.

-- submitted from IRC


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by zocalo on Monday January 23 2017, @07:52AM

    by zocalo (302) on Monday January 23 2017, @07:52AM (#457567)
    Definitely should be a consultation period and chance to respond, just as there was with WoSign/StartCom. If true about the sub-CA, then its going to depend on the CA chain setup - can just that sub-CA's certs be trivially revoked/suspended, for instance? - although I think Symantec would still deserve some come-back for failure to properly control and audit their sub-CAs. Given they were under probation already, I think a zero tolerance policy and audit of all sub-CAs would be a reasonable course of action to take - trust applies to sub-CAs as well as the certs themselves.
    --
    UNIX? They're not even circumcised! Savages!
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2