[cryptography] [FORGED] Google tears Symantec a new one over rogue SSL certs

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun Dec 13 21:31:13 EST 2015


Jeffrey Walton <noloader at gmail.com> writes:

>Google has read the riot act to Symantec, scolding the security biz for its
>slapdash handling of highly sensitive SSL certificates.

Hardly.  It's just TB2F business as usual.  If you read the original article:

>Symantec performed another audit and, on October 12th, announced that they
>had found an additional 164 certificates over 76 domains and 2,458
>certificates issued for domains that were never registered.
>
>[...]
>
>Therefore we are firstly going to require that as of June 1st, 2016, all
>certificates issued by Symantec itself will be required to support
>Certificate Transparency.
>
>After this date, certificates newly issued by Symantec that do not conform to
>the Chromium Certificate Transparency policy may result in interstitials or
>other problems when used in Google products.

Translated:

A major CA has blatantly abused its position as a "trusted authority".  We
will be responding to this abuse of trust by waving our index fingers at them
in a vaguely scolding manner.  In the future, if it happens again, we might
even go so far as to send them a strongly-worded letter, and take them off our
Christmas card list.

In the meantime, we would like to congratulate Symantec on their record-
breaking $900M profit for the latest financial year, and hope they have many
further profitable years securing the Internet with trusted certificates.

Peter.


More information about the cryptography mailing list