from the what's-a-few-more-at-this-point dept.
Arthur T Knackerbracket has found the following story:
A security researcher has unearthed evidence showing that three browser-trusted certificate authorities (CAs) owned and operated by Symantec improperly issued more than 100 unvalidated transport layer security certificates. In some cases, those certificates made it possible to spoof HTTPS-protected websites.
One of the most fundamental requirements Google and other major browser developers impose on CAs is that they issue certificates only to people who verify the rightful control of an affected domain name or company name. On multiple occasions last year and earlier this month, the Symantec-owned CAs issued 108 credentials that violated these strict industry guidelines, according to research published Thursday by Andrew Ayer, a security researcher and founder of a CA reseller known as SSLMate. These guidelines were put in place to ensure the integrity of the entire encrypted Web. Nine of the certificates were issued without the permission or knowledge of the affected domain owners. The remaining 99 certificates were issued without proper validation of the company information in the certificate.
Even when CA-issued certificates are discovered as fraudulent and revoked, they can still be used to force browsers to verify an impostor site. The difficulty browsers have in blacklisting revoked certificates in real-time is precisely why industry rules strictly control the issuance of such credentials. There's no indication that the unauthorized certificates were ever used in the wild, but there's also no way to rule out that possibility, however remote it is.
[...] "Symantec has learned of a possible situation regarding certificate mis-issuance involving Symantec and other certificate authorities. We are currently gathering the facts about this situation and will provide an update once we have completed our investigation and verified information."
This is the second major violation of the so-called baseline requirements over the past four months.
-- submitted from IRC
Why still use CAs? (Score:0)
My own generated certs show a huge warning that they can't be trusted and these clowns can keep going on.... Why do we still use this flawed sense of security?
Reply to This
who got them? (Score:2)
Does anyone have a link to who got them? In some detail about those folks not just in general? My initial guess of how this all happened starts with a national security letter arriving at Symantec...
There's a lot of coverage on who screwed up, much less on what they did technically, and radio silence so far on who benefited.
Reply to This
Trust But Verify (Score:0)
Today it is symantec, but tomorrow it could be any cert authority. At some level all systems rely on trust to work and thus will always be vulnerable to the inevitable bad actor. But some systems are more vulnerable than others. The current system needs better verification. One way to improve verification is the eff's ssl observatory. [eff.org] The observatory isn't perfect, its got weaknesses of its own and more work needs to be done. But for most people, most of the time, it is an improvement.
Reply to This
Solution (Score:1)
The solution seems quite evident to me: immediately and permanently blacklist the CA certificates of Symantec and all CA's operated by Symantec. It must be VERY clear to all other CA's that this will not be tolerated. They already got their second chance; there are not third or fourth chances!
Well, maybe they should distrust any new certificates signed by those CA's, effective immediately, and blacklist all existing certificates two weeks from now, to give innocent domain owners a chance to get new certificates from another CA.
If Mozilla, Google, Apple and Microsoft let them get away with this, it would pretty much take away the little trust that remains in the CA system. All CA's must understand that such behaviour will result in immediate termination of their business.
If you do what you did, you'll get what you got
Reply to This