• Todas las Comunidades
    • Todas las Comunidades
    • Foros
    • Ideas
    • Blogs
Avanzado

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Symantec issuing fake web security certificates ?

I know little about the subject of security certificates issued by AV companies. Could someone please explain all this stuff in simple terms please, and in particular the possible effect, if any, on NS users now and on NS users in the future if Google is forced to carry through with it's threat if Symantec does not get its act together. Has this incident effected my security?

The numbers of fake certificates issued by Symantec that were not found in its initial audit requested by Google are 164 certificates over 76 domains and 2,458 certificates issued for domains that weren't registered. In its initial audit Symantec found only 23 fake certificates it had issued.

For it's part, apparently the responsible Symantec employees were fired. And Symantec clarified that it has put additional tools, policy and process safeguards in place to prevent this type of incident from occurring again. It also created plans to begin Certificate Transparency logging of all certificates and found a third-party to evaluate its approach, in addition to expanding the scope of its annual audit.

"Google warns Symantec to take additional steps on certificate verification"

".......“'It's obviously concerning that a CA [certificate authority] would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit,' Google wrote. 'Therefore, we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency.'

Google's also pushing Symantec to update its incident report with a post-mortem analysis on why it didn't find the additional certificates and then the details of 'each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure.;

Google's requests don't stop there, either. It's asking Symantec to provide a 'detailed set of steps' it will take to correct and prevent these flaws, as well as a timeline for when the work will be completed. After it successfully does all this, the company is also being asked to undergo a Point-in-time Readiness Assessment and third-party security audit.

http://www.scmagazine.com/google-publishes-blog-post-railing-symantec-ov...

"Google slaps Symantec for issuing fake web security certificates"

http://www.engadget.com/2015/10/29/google-warns-symantec-over-certificates/

Respuestas

Kudos0

Re: Symantec issuing fake web security certificates ?

A Symantec spokesperson told ZDNet:

"In September, we were alerted that a small number of test certificates for Symantec's internal use had been mis-issued. We immediately began publicly investigating our full test certificate history and found others, most of which were for non-existent and unregistered domains. While there is no evidence that any harm was caused to any user or organization, this type of product testing was not consistent with the policies and standards we are committed to uphold.

We confirmed that these test certificates have all been revoked or have expired, and worked directly with the browser community to have them blacklisted. To prevent this type of testing from occurring in the future, we have already put additional tool, policy and process safeguards in place, and announced plans to begin Certificate Transparency logging of all certificates. We have also engaged an independent third-party to evaluate our approach, in addition to expanding the scope of our annual audit."

http://www.zdnet.com/article/google-to-symantec-clean-up-your-certificates-or-be-branded-unsafe/ 

A little bit of knowledge is... well a little bit of knowledge.
Kudos3 Stats

Re: Symantec issuing fake web security certificates ?

hok:

I know little about the subject of security certificates issued by AV companies. Could someone please explain all this stuff in simple terms please, and in particular the possible effect, if any, on NS users now and on NS users in the future if Google is forced to carry through with it's threat if Symantec does not get its act together. Has this incident effected my security?

Hi hok,

Let me try to clarify this a bit for you.  It has nothing to do with antivirus or Norton security products, and in fact is completely unrelated to NS or any other security software you might use.  It has to do with how secure websites work.  Security Certificates are used to authenticate HTTPS connections - when you visit a secure website, your browser checks the Security Certificate that the site presents to confirm that you are at the correct site and not at a fake site.  Security Certificates prevent a rogue site from masquerading as your online bank, for example, because an imposter site would not have the correct Certificate, and your browser would give you a Certificate warning telling you the site should not be trusted.  Security Certificates are issued by Certificate Authorities.  Symantec, in addition to selling consumer and enterprise security products, is also a large and well-known Certificate Authority, having bought VeriSign a few years ago.  Certificate Authorities validate that website owners who are issued Certificates by the Authority are actually who they say they are.  Essentially, when you visit a secure site, you are trusting the Certificate and the Certificate Authority that issued it.  Unfortunately, Symantec mistakenly issued some Certificates that in the wrong hands could have allowed a phony site to authenticate as Google, or some other involved domains.

What Google is intending is to have its Chrome browser no longer trust Certificates issued by Symantec unless Symantec complies with the conditions that Google has requested by next June.  If that happens, anyone using Chrome who goes to a site that has a Certificate issued by Symantec will then get a warning from the browser that the site is not trusted. 

Hope that helps explain things for you.

For a fuller explanation of Security Certificates, see:

http://ask-leo.com/can_i_trust_https_certificates_in_my_browser.html

Kudos0

Re: Symantec issuing fake web security certificates ?

SendOfJive: Thanks for the explanation :-)

Thanks Krusty for the updated info. :-)

Kudos0

Re: Symantec issuing fake web security certificates ?

I don't mean to digress, but I thought I'd add my datapoint:

After upgrading to Windows 10 from Windows 7, and installing Norton Security Premium, the latest Firefox browser installed in a child account on the PC could no longer do Google searches because of an alleged security certificate issue. I initially suspected Norton Security to be the problem too.
But, the same Firefox browser worked fine in the parent account on that machine.
And other browsers (like Edge) used by the child account have no problem with Google searches.

As it turns out, when you identify an account as a child account of the family to Windows 10, it causes this problem for Firefox.
Remove that child account from the Microsoft Family, reboot the PC, and Google searches from Firefox on the child account begin to work with no security certificate issues.

I wonder what Microsoft is doing to security certificates from Google when Firefox is used from a child account in Windows 10.

This thread is closed from further comment. Please visit the forum to start a new thread.