Skip to main content

Google issues ultimatum to Symantec over unauthorized HTTPS certificates

have i been pwned owner uncovers 13 million plaintext passwords leaked from free webhost is a safe password even possible we
guteksk7/Shutterstock
Google has laid down an ultimatum for Symantec — be fully transparent about the issuing of your security certificates or sites that use Symantec certificates will be deemed unsafe by Google Chrome.

In September Symantec revealed in a report that it had fired a number of employees for issuing unauthorized TSL certificates for domain names to companies that did not own them.

This meant that they could have been used to copycat HTTPS-protected websites, including those of Google’s. Cyber-criminals could use the certificates to impersonate highly-reputable sites and go undetected.

Initially, Symantec said that 23 certificates were issued, but Google has disputed this number, saying it is much higher. Following further examination, Symantec said that there were a further 164 certificates over 76 domains and 2,458 certificates for domains not yet registered.

In a blog post, Google’s Ryan Sleevi called for the details of Symantec’s investigation to be made public and transparent in order to understand why the number of certificates issued was under estimated. This involves detailed information on how the company will prevent this from happening again as well as what its methods will be.

Sleevi has also called for Symantec to ensure that all SSL certificates, as of June 1 2016, are issued in accordance with Certificate Transparency, a public audit log.

“After this date, certificates newly issued by Symantec that do not conform to the Chromium Certificate Transparency policy may result in interstitials or other problems when used in Google products,” wrote Sleevi.

If Symantec, and possibly any other certificate issuer, doesn’t follow these guidelines, it runs the risk of its SSL certificates being flagged as unsafe or unsecure, which would send a bad message to any user trying to access sites using them through Chrome.

In response, Symantec has said the issue was caused by a testing error. It stated that it has revoked and blacklisted the certificates in question and said that there had been no harm caused to any users or organizations.

“To prevent this type of testing from occurring in the future, we have already put additional tool, policy and process safeguards in place, and announced plans to begin Certificate Transparency logging of all certificates,” said the statement. “We have also engaged an independent third-party to evaluate our approach, in addition to expanding the scope of our annual audit.”

Jonathan Keane
Former Digital Trends Contributor
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
Google faces lawsuit over controversial Play Store change
Google Play Store on the OnePlus Nord 2.

Google has started requiring all Android apps sold in the Play Store that use in-app payments to use Google's Play Store billing system and nothing else -- or leave the store. This hasn't gone down well with the Match Group, creator of dating services including Tinder and the eponymous Match. The company is now suing Google over monopolistic and anti-competitive actions, alleging irreparable harm to Match's business and calling the move to remove its app a "death knell threat" to their business.

Google had previously allowed Match's apps, including Tinder, to opt out of using the Play Store's billing system, but the company has changed its mind in recent months. Rather, it will be requiring all apps in the Play Store which support in-app Payments to use Google's Play billing system without the option of a third-party payments processor. This will exclude apps that sell physical goods like Uber Eats and Amazon, but ensnare those which sell digital goods like Amazon's Audible and Kindle apps. For Match, which had previously been allowed to run its own payment system side-by-side with Google's, the move comes as a slap in the face.

Read more
Google faces legal trouble over Android data collection
Location tracking on Android and iOS

The Washington D.C. Attorney General is suing Google over its supposedly deceptive location permissions policies. The lawsuit, partially instigated by a 2018 Associated Press story, claims that Google is financially motivated to collect location data from Android users to bolster its advertising business and has actively obfuscated ways of hiding your location data through confusing settings and language.

"Since at least 2014, Google has deceived consumers regarding how their location is tracked and used by the Company and consumers’ ability to protect their privacy by stopping this tracking. Google leads consumers to believe that consumers are in control of whether Google collects and retains information about their location and how that information is used. In reality, consumers who use Google products cannot prevent Google from collecting, storing, and profiting from their location," the lawsuit alleged.

Read more
Google’s Pixel 6 issues are causing a crisis of trust
Google Pixel 6 Pro in hand.

Google's Pixel 6 is an excellent smartphone, one of the best Google has ever made. It fixes up issues we've seen in older Pixels, from outdated and weak hardware to boring designs. All things considered, it's great -- and our reviews say so. At the same time, the Pixel 6 and Pixel 6 Pro have come under fire from both critics and fans alike since its release. Over on the r/GooglePixel subreddit, there are many who would chafe at the idea of someone having a good experience with the Pixel 6, while prominent reviewers like Marques Brownlee (MKBHD) back them up.

From where I sit, it's not that the Pixel 6 is a bad phone -- reviews say as much, my personal experience aligns, and my colleague Andy Boxall offers a more measured take on the issue from a user perspective. It's a very good phone, and it does what it says it is supposed to do, with little complaint on my end.

Read more