Symantec caught issuing rogue certificates

Your browser trusts SSL certificates from hundreds of "Certificate Authorities," each of which is supposed to exercise the utmost caution before issuing them — a rogue cert would allow a criminal or a government to act as a man-in-the-middle between you and your bank, email provider, or employer, undetectably intercepting communications that you believed to be secure.

But not all CAs are trustworthy. Diginotar, a Dutch CA, had to shut its doors after it was revealed that it had issued rogue Google certs that were implicated in Iranian government spying on political dissidents.

In response to incidents like this one, Google created the Certificate Transparency initiative by which browsers and users from across the world cooperate to create a near-realtime index of all the certificates seen in the wild, making it much more likely that rogue certs will be detected and the CAs who issued them will be struck out of the browsers' root of trust.

Today, Symantec was caught issuing rogue Google certificates. The company is one of the biggest names in security, and one of the world's most prominent certificate authorities. Issuing a rogue cert for one of the Internet's biggest companies — a company that handles an unimaginable amount of sensitive data — is big news.

Worse: the cert issued by Symantec was an "extended validation" certificate — meaning that it was signed in a way that guaranteed that Symantec had done extra homework to validate that this was a real, official certificate for Google.

The company says the cert was issued as part of systems testing and that it fired the people responsible.

We learned on Wednesday that a small number of test certificates were inappropriately issued internally this week for three domains during product testing. All of these test certificates and keys were always within our control and were immediately revoked when we discovered the issue. There was no direct impact to any of the domains and never any danger to the Internet. Further, we are in the process of proactively notifying the domain owners and our major partners.

In light of these events, we must reassert our commitment to stand behind our values and our position as a trusted industry leader. While our processes and approach are based on the industry best practices that we helped create, we have immediately put in place additional processes and technical controls to eliminate the possibility of human error. We will continue to relentlessly evolve these best practices to ensure something like this does not happen again.

In addition, we discovered that a few outstanding employees, who had successfully undergone our stringent on-boarding and security trainings, failed to follow our policies. Despite their best intentions, this failure to follow policies has led to their termination after a thoughtful review process. Because you rely on us to protect the digital world, we hold ourselves to a "no compromise" bar for such breaches. As a result, it was the only call we could make.

A Tough Day as Leaders [Quentin Liu/Symantec]

Improved Digital Certificate Security [Google Online Security]