Skip to main content
  1. Home
  2. Computing
  3. News

Google issues ultimatum to Symantec over unauthorized HTTPS certificates

By

have i been pwned owner uncovers 13 million plaintext passwords leaked from free webhost is a safe password even possible we
guteksk7/Shutterstock
Google has laid down an ultimatum for Symantec — be fully transparent about the issuing of your security certificates or sites that use Symantec certificates will be deemed unsafe by Google Chrome.

In September Symantec revealed in a report that it had fired a number of employees for issuing unauthorized TSL certificates for domain names to companies that did not own them.

Recommended Videos

This meant that they could have been used to copycat HTTPS-protected websites, including those of Google’s. Cyber-criminals could use the certificates to impersonate highly-reputable sites and go undetected.

Initially, Symantec said that 23 certificates were issued, but Google has disputed this number, saying it is much higher. Following further examination, Symantec said that there were a further 164 certificates over 76 domains and 2,458 certificates for domains not yet registered.

In a blog post, Google’s Ryan Sleevi called for the details of Symantec’s investigation to be made public and transparent in order to understand why the number of certificates issued was under estimated. This involves detailed information on how the company will prevent this from happening again as well as what its methods will be.

Sleevi has also called for Symantec to ensure that all SSL certificates, as of June 1 2016, are issued in accordance with Certificate Transparency, a public audit log.

“After this date, certificates newly issued by Symantec that do not conform to the Chromium Certificate Transparency policy may result in interstitials or other problems when used in Google products,” wrote Sleevi.

If Symantec, and possibly any other certificate issuer, doesn’t follow these guidelines, it runs the risk of its SSL certificates being flagged as unsafe or unsecure, which would send a bad message to any user trying to access sites using them through Chrome.

In response, Symantec has said the issue was caused by a testing error. It stated that it has revoked and blacklisted the certificates in question and said that there had been no harm caused to any users or organizations.

“To prevent this type of testing from occurring in the future, we have already put additional tool, policy and process safeguards in place, and announced plans to begin Certificate Transparency logging of all certificates,” said the statement. “We have also engaged an independent third-party to evaluate our approach, in addition to expanding the scope of our annual audit.”

Editors' Recommendations

Topics
Jonathan Keane
Jonathan Keane
Former Digital Trends Contributor
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
Google’s Pixel 6 issues are causing a crisis of trust
Google Pixel 6 Pro in hand.

Google's Pixel 6 is an excellent smartphone, one of the best Google has ever made. It fixes up issues we've seen in older Pixels, from outdated and weak hardware to boring designs. All things considered, it's great -- and our reviews say so. At the same time, the Pixel 6 and Pixel 6 Pro have come under fire from both critics and fans alike since its release. Over on the r/GooglePixel subreddit, there are many who would chafe at the idea of someone having a good experience with the Pixel 6, while prominent reviewers like Marques Brownlee (MKBHD) back them up.

From where I sit, it's not that the Pixel 6 is a bad phone -- reviews say as much, my personal experience aligns, and my colleague Andy Boxall offers a more measured take on the issue from a user perspective. It's a very good phone, and it does what it says it is supposed to do, with little complaint on my end.

Read more
Google blasts Apple over bullying, peer pressure tactics keeping users on iMessage
Close up detail of a man iMessaging on an iPhone.

When an Android phone user texts an iPhone person, it appears in a green bubble in iMessage. It’s Apple’s way of telling that the sender is not an iPhone user. But that green bubble is not particularly forgiving from a social standpoint; plus, it just led to some heated commentary from Google, which alleged that Apple engaged in bullying tactics.

The Wall Street Journal recently highlighted how the “green bubble effect" is being weaponized for creating social pressure. Teens feel ostracized for using an Android phone, because it identifies their messages with the color green. Plus, iPhones don’t come cheap and are often seen as a social status symbol. Forcing it upon others with iMessage -- and its green bubble -- as an agent is nothing but bullying, says Google.

Read more
Google chooses Samsung over Qualcomm to make the Pixel 6 5G modem
Google Pixel 6 colors.

Google has reportedly chosen Samsung over Qualcomm to build the 5G modem for the Pixel 6 and Pixel 6 Pro. The story broke early on Wednesday via Stephen Nellis and Paresh Dave of Reuters, who cited "sources familiar with the matter."

This is good news for Samsung, but bad news for Qualcomm, which created both the processors and modems that were used in earlier models of the Pixel smartphone. While Qualcomm will continue to supply chips for the Pixel 5a, Google's next-generation smartphones will instead run off Google's Tensor chipset, which is built in-house, and Samsung's 5G modem.

Read more