Skip to main content

Google issues ultimatum to Symantec over unauthorized HTTPS certificates

have i been pwned owner uncovers 13 million plaintext passwords leaked from free webhost is a safe password even possible we
guteksk7/Shutterstock
Google has laid down an ultimatum for Symantec — be fully transparent about the issuing of your security certificates or sites that use Symantec certificates will be deemed unsafe by Google Chrome.

In September Symantec revealed in a report that it had fired a number of employees for issuing unauthorized TSL certificates for domain names to companies that did not own them.

This meant that they could have been used to copycat HTTPS-protected websites, including those of Google’s. Cyber-criminals could use the certificates to impersonate highly-reputable sites and go undetected.

Initially, Symantec said that 23 certificates were issued, but Google has disputed this number, saying it is much higher. Following further examination, Symantec said that there were a further 164 certificates over 76 domains and 2,458 certificates for domains not yet registered.

In a blog post, Google’s Ryan Sleevi called for the details of Symantec’s investigation to be made public and transparent in order to understand why the number of certificates issued was under estimated. This involves detailed information on how the company will prevent this from happening again as well as what its methods will be.

Sleevi has also called for Symantec to ensure that all SSL certificates, as of June 1 2016, are issued in accordance with Certificate Transparency, a public audit log.

“After this date, certificates newly issued by Symantec that do not conform to the Chromium Certificate Transparency policy may result in interstitials or other problems when used in Google products,” wrote Sleevi.

If Symantec, and possibly any other certificate issuer, doesn’t follow these guidelines, it runs the risk of its SSL certificates being flagged as unsafe or unsecure, which would send a bad message to any user trying to access sites using them through Chrome.

In response, Symantec has said the issue was caused by a testing error. It stated that it has revoked and blacklisted the certificates in question and said that there had been no harm caused to any users or organizations.

“To prevent this type of testing from occurring in the future, we have already put additional tool, policy and process safeguards in place, and announced plans to begin Certificate Transparency logging of all certificates,” said the statement. “We have also engaged an independent third-party to evaluate our approach, in addition to expanding the scope of our annual audit.”

Editors' Recommendations

Jonathan Keane
Former Digital Trends Contributor
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
Google blasts Apple over bullying, peer pressure tactics keeping users on iMessage
Close up detail of a man iMessaging on an iPhone.

When an Android phone user texts an iPhone person, it appears in a green bubble in iMessage. It’s Apple’s way of telling that the sender is not an iPhone user. But that green bubble is not particularly forgiving from a social standpoint; plus, it just led to some heated commentary from Google, which alleged that Apple engaged in bullying tactics.

The Wall Street Journal recently highlighted how the “green bubble effect" is being weaponized for creating social pressure. Teens feel ostracized for using an Android phone, because it identifies their messages with the color green. Plus, iPhones don’t come cheap and are often seen as a social status symbol. Forcing it upon others with iMessage -- and its green bubble -- as an agent is nothing but bullying, says Google.

Read more
Google chooses Samsung over Qualcomm to make the Pixel 6 5G modem
Google Pixel 6 colors.

Google has reportedly chosen Samsung over Qualcomm to build the 5G modem for the Pixel 6 and Pixel 6 Pro. The story broke early on Wednesday via Stephen Nellis and Paresh Dave of Reuters, who cited "sources familiar with the matter."

This is good news for Samsung, but bad news for Qualcomm, which created both the processors and modems that were used in earlier models of the Pixel smartphone. While Qualcomm will continue to supply chips for the Pixel 5a, Google's next-generation smartphones will instead run off Google's Tensor chipset, which is built in-house, and Samsung's 5G modem.

Read more
From Android 1.0 to Android 10, here’s how Google’s OS evolved over a decade
Android

The smartphone has come a long way since the first iPhone launched in 2007. While Apple's iOS is arguably the world's first smartphone operating system, Google's Android is by far the most popular. Android has evolved significantly since first being released on an HTC-made T-Mobile device in 2008. Android was created in 2003 by Andy Rubin, who first started developing an OS for digital cameras. Soon, he realized that the market for digital camera operating systems perhaps wasn't all that big, and Android, Inc. diverted its attention toward smartphones.

It wasn't until 2005 that Google purchased Android, Inc., and while there wasn't much info about Android at the time, many took it as a signal that Google would use the platform to enter the phone business. Eventually, Google did enter the smartphone business -- but not as a hardware manufacturer. Instead, it marketed Android to other manufacturers, first catching the eye of HTC, which used the platform for the first Android phone, the HTC Dream, in 2008.

Read more