Not what you are looking for? Ask the experts!
Symantec issuing fake web security certificates ?
I know little about the subject of security certificates issued by AV companies. Could someone please explain all this stuff in simple terms please, and in particular the possible effect, if any, on NS users now and on NS users in the future if Google is forced to carry through with it's threat if Symantec does not get its act together. Has this incident effected my security?
The numbers of fake certificates issued by Symantec that were not found in its initial audit requested by Google are 164 certificates over 76 domains and 2,458 certificates issued for domains that weren't registered. In its initial audit Symantec found only 23 fake certificates it had issued.
For it's part, apparently the responsible Symantec employees were fired. And Symantec clarified that it has put additional tools, policy and process safeguards in place to prevent this type of incident from occurring again. It also created plans to begin Certificate Transparency logging of all certificates and found a third-party to evaluate its approach, in addition to expanding the scope of its annual audit.
"Google warns Symantec to take additional steps on certificate verification"
".......“'It's obviously concerning that a CA [certificate authority] would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit,' Google wrote. 'Therefore, we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency.'
Google's also pushing Symantec to update its incident report with a post-mortem analysis on why it didn't find the additional certificates and then the details of 'each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure.;
Google's requests don't stop there, either. It's asking Symantec to provide a 'detailed set of steps' it will take to correct and prevent these flaws, as well as a timeline for when the work will be completed. After it successfully does all this, the company is also being asked to undergo a Point-in-time Readiness Assessment and third-party security audit.
"Google slaps Symantec for issuing fake web security certificates"