Symantec employees fired for issuing rogue HTTPS certificate for Google

Unauthorized credential was trusted by all browsers, but Google never authorized it.

Read the whole story

 

[kperrier]

But if it was for anyone else, they would have been out there for a while...

 

[fuzzyfuzzyfungus]

Is there some logic that I'm missing to using an absurdly high-value target for 'testing'; and doing that testing on the public internet broadly enough that you get snagged by the CTP? Or were they just playing with fire because it's more fun that way?

 

[realwarder]

That's impressive they managed to spot it so soon. Must have an automated system setup.

Can we ask Symantec to 'test' some unofficial certificates for other Fortune 500 company (banks, Microsoft etc.) and see if they notice as quickly.

edit: changed fake to unofficial

 

[siliconaddict]

fuzzyfuzzyfungus[/url]":3r0pbfx2]Is there some logic that I'm missing to using an absurdly high-value target for 'testing'; and doing that testing on the public internet broadly enough that you get snagged by the CTP? Or were they just playing with fire because it's more fun that way?

God like powers....lets play with them?! That is all I have as an excuse that I can think of.

 

[gwold]

Good for Symantec. And pretty awesome, too, that this all came down so quickly.

 

[zarmanto]

Unauthorized credential was ... never authorized

Huh. Who'da thunk it.

 

[Dark Pumpkin]

fuzzyfuzzyfungus[/url]":ivei0dx0]Is there some logic that I'm missing to using an absurdly high-value target for 'testing'; and doing that testing on the public internet broadly enough that you get snagged by the CTP? Or were they just playing with fire because it's more fun that way?

I don't see how a certificate could be accidentally handled like that, so my first thought was someone just thought he could be sneaky and do that without getting caught. I'm not sure what value a single day certificate would have though... maybe a dare or bet?

 

[Nowicki]

Lots of people want to take advantage of these kinds of errors. They will pay just about anything, and will say just about anything. So I for one am glad that this was caught, but im not convinced that all issued certs are valid. Suppose google thinks that too otherwise they wouldnt have the transparency project out there


hackers be like

 

[WaveRunner]

Didn't we have an article in the past showing off all the measures it took to even register a certificate at Symantec.. and now we get some rogue employee showing that any random person at the company can actually issue an EV cert, although be it a Thawte one.

 

[Polyorb]

Just weeks to the Let's Encrypt project signing certs.

Symantec did what was necessary, but it's not necessary to rely on this broken CA infrastructure.

 

[rabish12]

Gotta love that chain of trust, huh?

 

[Polyorb]

hackers be like

I would've gone with

 

[WaveRunner]

Polyorb[/url]":riti2h96]Just weeks to the Let's Encrypt project signing certs.

Symantec did what was necessary, but it's not necessary to rely on this broken CA infrastructure.

Awesome! This reminds me of the validation MS uses for it's Office365/Azure Active Directory customers. Although they rely on edits to the DNS text records.

 

[Fatesrider]

Among other things, the project makes it possible to detect transport layer security credentials that have been mistakenly issued by a browser-trusted certificate authority. The ability for Google employees to independently discover the unauthorized certificates so quickly is a strong endorsement of the effectiveness of the Certificate Transparency program.

<SMH>

When I read that line, I couldn't help but flash onto a scene in Gringotts Wizarding Bank with a bunch of hobgoblins slowing down time, meticulously examining the SSL certificates then stamping only the authorized ones as they streamed by and tossing the bad ones to the dragon so it could go out and eat whoever sent the bad one...

What the hell did they put in my coffee today?

 

[MrMalthus]

kperrier[/url]":3qo1818s]But if it was for anyone else, they would have been out there for a while...

Certificate Transparency is required for all EV certificates to be treated as valid (as EV certificates) in Chrome now, so I imagine it would catch such rogue certificates for anyone: http://www.certificate-transparency.org/ev-ct-plan

 

[grumpy2]

Polyorb[/url]":17jib89t]Just weeks to the Let's Encrypt project signing certs.

Symantec did what was necessary, but it's not necessary to rely on this broken CA infrastructure.

You mean, the infrastructure that Let's Encrypt is part of? All they're doing is automating the process of issuing https certificates, and doing it for free. (And they don't, and have no plans to, issue EV certificates like the ones being discussed here at all.

So... I'm not really sure how Let's Encrypt would solve this problem, or how it would avoid "this broken CA infrastructure".

What they're doing is great, no doubt about that. But let's not pretend that it somehow fixes the problems with the CA infrastructure.

 

[kperrier]

obarthelemy[/url]":z0ppoqce]

Nowicki[/url]":z0ppoqce]Lots of people want to take advantage of these kinds of errors. They will pay just about anything, and will say just about anything. So I for one am glad that this was caught, but im not convinced that all issued certs are valid. Suppose google thinks that too otherwise they wouldnt have the transparency project out there


hackers be like

Yes, let's use a picture of a black thug. Why isn't he wearing a hoodie ?

Is this better?

 

[SgtCupCake]

obarthelemy[/url]":1tddnlei]

Nowicki[/url]":1tddnlei]Lots of people want to take advantage of these kinds of errors. They will pay just about anything, and will say just about anything. So I for one am glad that this was caught, but im not convinced that all issued certs are valid. Suppose google thinks that too otherwise they wouldnt have the transparency project out there


hackers be like

Yes, let's use a picture of a black thug. Why isn't he wearing a hoodie ?

Lol... Dave Chappelle... the thug.

 

[abridge]

More interesting would be to follow where the money came from and who the certificates were actually issued to.

There should be consequences beyond merely losing a job for something like this.

Glad Google was looking.

 

[ManuSamoa]

obarthelemy[/url]":30j6tqqh]

Nowicki[/url]":30j6tqqh]Lots of people want to take advantage of these kinds of errors. They will pay just about anything, and will say just about anything. So I for one am glad that this was caught, but im not convinced that all issued certs are valid. Suppose google thinks that too otherwise they wouldnt have the transparency project out there


hackers be like

Yes, let's use a picture of a black thug. Why isn't he wearing a hoodie ?

This might help you get some context on the person in the above image: https://www.youtube.com/watch?v=4eHMgXlugIU

https://www.youtube.com/watch?v=-UtbJ_u0IlY

 

[andrew102]

abridge[/url]":1x0qffj5]More interesting would be to follow where the money came from and who the certificates were actually issued to.

There should be consequences beyond merely losing a job for something like this.

Glad Google was looking.

Why?

From the article:

" were inappropriately issued internally "

They created certificates for testing and used them internally. They got fired. Unless you have a proof they were going to sell them to someone, that's all there is to it. Not to say it's not a valid angle to look at but that's all we are being told.

 

[beebee]

Next time deal with a more reputable cert authority like the Hong Kong Post Office.
/s

 

[l27]

andrew102[/url]":enumk3wx]

abridge[/url]":enumk3wx]More interesting would be to follow where the money came from and who the certificates were actually issued to.

There should be consequences beyond merely losing a job for something like this.

Glad Google was looking.

Why?

From the article:

" were inappropriately issued internally "

They created certificates for testing and used them internally. They got fired. Unless you have a proof they were going to sell them to someone, that's all there is to it. Not to say it's not a valid angle to look at but that's all we are being told.

It could have been a test run and they got caught big time.

 

[NYKevin]

l27[/url]":20yb42hj]

andrew102[/url]":20yb42hj]

abridge[/url]":20yb42hj]More interesting would be to follow where the money came from and who the certificates were actually issued to.

There should be consequences beyond merely losing a job for something like this.

Glad Google was looking.

Why?

From the article:

" were inappropriately issued internally "

They created certificates for testing and used them internally. They got fired. Unless you have a proof they were going to sell them to someone, that's all there is to it. Not to say it's not a valid angle to look at but that's all we are being told.

It could have been a test run and they got caught big time.

What do you mean "test run?" If you're going to do this without getting caught, you don't do it like this. You issue a cert for https://www.example.com, adjust your hosts file, and run a local HTTPS server. Once you know that works, you issue the google.com cert, stick it on a thumbdrive, and sell it. At no point are you directly connecting your google.com cert to the internet to "test" it. That's just dumb.

 

[Hat Monster]

I think firing these folk is actually an overreaction. A test pre-certificate valid for only one day isn't a threat to anyone, anywhere.

Procedure was broken, but not severely.

 

[fuzzyfuzzyfungus]

Hat Monster[/url]":4ylwogko]I think firing these folk is actually an overreaction. A test pre-certificate valid for only one day isn't a threat to anyone, anywhere.

Procedure was broken, but not severely.

I suspect that they got the hammer in part just for the PR hit(when you are a company that trades on 'trust'; having a gigantic tech brand basically call you a dangerously irresponsible idiot in public is bad); and in part because all the CAs like to claim(and in many cases this may be true to some degree) that their signing keys are protected behind multiple layers of Mission Impossible security; so they don't really have the option of non-severe procedural violation: merely using the signing keys for any unauthorized purpose is a problem that starts at 'severe' with the option to move into 'dire', 'company-destroying' or 'apocalyptic'.

Symantec does non-CA stuff as well; but as a CA, you basically have no reason to be allowed to exist if you can't keep a tight grip on the private keys.

 

[JamesKatt]

Issuing fake certificates so one can impersonate Google is something I'd expect the NSA to do. It makes you think about who these fired employees actually work for.

 

[NetworkElf]

JamesKatt[/url]":24p9hb9t]Issuing fake certificates so one can impersonate Google is something I'd expect the NSA to do. It makes you think about who these fired employees actually work for.

"What can we get away with? Will anybody notice?"

Organizations like the NSA and FBI prey on an unaware, unsuspecting public.

 

[zarmanto]

NetworkElf[/url]":qqlkq82g]

JamesKatt[/url]":qqlkq82g]Issuing fake certificates so one can impersonate Google is something I'd expect the NSA to do. It makes you think about who these fired employees actually work for.

"What can we get away with? Will anybody notice?"

Organizations like the NSA and FBI prey on an unaware, unsuspecting public.

You might be right... but so does everybody else. Take Volkswagen, for example.

 

[HeloIT]

Dark Pumpkin[/url]":1gqah0sa]

fuzzyfuzzyfungus[/url]":1gqah0sa]Is there some logic that I'm missing to using an absurdly high-value target for 'testing'; and doing that testing on the public internet broadly enough that you get snagged by the CTP? Or were they just playing with fire because it's more fun that way?

I don't see how a certificate could be accidentally handled like that, so my first thought was someone just thought he could be sneaky and do that without getting caught. I'm not sure what value a single day certificate would have though... maybe a dare or bet?

I would expect there is good money to be paid by several interests who would like a security hole... former Iron Curtain coders come to mind.

 

[PandaCheese]

On Let's Encrypt, I'm a little concerned that demonstrating control over a domain is considered enough proof, as if there aren't a dozen ways to outright steal or temporarily gain control over one, long enough to get a registration agent key established with Let's Encrypt.

Still no worse than what many for profit CAs do, outside of EV certificates.

 

[mrnomnoms]

This is hardly surprising given that my experience with Symantec is that they're pretty much outsourcing these things to the lowest bidder in countries with the highest levels of corruption then people wonder why these things happen. Really, when you have 'tech centres' located in some of the most corrupt countries on earth - where bribing is the norm I really have to ask just how serious Symantec is about security and integrity of those whom they hire in the first place.

 

[BRChelmo]

mrnomnoms, the employees that were fired were out of the Mountain View office. Authentication is never outsourced and is always held in a strictly confined Symantec office.