iBet uBet web content aggregator. Adding the entire web to your favor.
iBet uBet web content aggregator. Adding the entire web to your favor.



Link to original content: https://www.zdnet.com/article/symantec-sacks-staff-for-issuing-unauthorized-google-certificates/
Symantec sacks staff for issuing unauthorized Google certificates | ZDNET
X
Tech

Symantec sacks staff for issuing unauthorized Google certificates

The certificates made it possible to impersonate HTTPS-enabled Google domains.
Written by Charlie Osborne, Contributing Writer
screen-shot-2015-09-22-at-08-03-11.png

Symantec has fired a number of employees after unauthorized certificates were issued which would allow attackers to impersonate Google pages protected by HTTPS.

On Friday, the security firm said in a blog post employee error resulted in cryptographic certificates being issued online without permission from either Symantec or Google.

The company said:

"We learned on Wednesday that a small number of test certificates were inappropriately issued internally this week for three domains during product testing.
All of these test certificates and keys were always within our control and were immediately revoked when we discovered the issue. There was no direct impact to any of the domains and never any danger to the Internet."

In a separate blog post, Google said Symantec issued a Thawte-branded Extended Validation (EV) pre-certificate for the domains google.com and www.google.com which was neither "requested nor authorized" by the tech giant.

The issue was discovered by Google employees who were monitoring Certificate Transparency, an open framework and project ran by the company to fix structural flaws in the SSL certificate system. A useful system, no doubt, as Google was able to detect the unauthorized certificate activity almost immediately.

By alerting Symantec to the issue, the companies were able to ensure the pre-certificate was only active and valid for one day in January this year. Google says Chrome's revocation metadata has been updated to include the public key of the misissued certificate -- which in turn blocks the certificate -- and the firm has no reason to believe the privacy and security of its users were placed at risk due to the mistake.

This week, Symantec appointed former Salesforce EMEA chief marketing officer Dan Rogers to CMO of Symantec. Rogers will report to CEO Michael Brown and will oversee the firm's marketing strategy, including brand awareness, digital marketing, demand generation and events.

Top gadgets and accessories for hardware and data security

Read on: Top picks

Editorial standards