SECURITY SOFTWARE GIANT SYMANTEC has, once again, been forced to revoke a clutch of wrongly issued digital certificates.
The iffy certificates were exposed by certificate vendor SSLMate over the weekend. It revealed that a number of dodgy Symantec-sourced certificates had not been authorised by ICANN, while another batch appeared to be "test" certificates that SSLMate founder Andrew Ayer suggested probably covered domains owned by cyber squatters.
Digital certificates are intended to provide independent verification of the authenticity and ownership of a website in order to prevent attackers from impersonating a supposedly secure website. However, they rely upon the competence and honesty of third-party certificate authorities.
Symantec is one of the world's largest issuers of digital certificates under its own brand name, as well as GeoTrust, Thawte and RapidSSL.
Ayer said that although the company fired people after the last certificate scandal in October 2015, it appeared to have done little to tighten up its processes and procedures to prevent a recurrence.
Ayer has also criticised Symantec for issuing outdated SHA-1 certificates. "Symantec is an unbelievably bad certificate authority," Ayer added in a series of tweets.
He continued: "It looks an awful lot like Symantec never stopped using other people's domains for testing. For context, in 2015 Google caught Symantec issuing trusted SSL certs for other people's domains for testing, without authorization.
"This is a HUGE no-no. There are very specific rules certificate authorities must follow to verify that a certificate request is authorised. Even if the certs were only for testing, if a system allows employees to bypass authorisation, it will allow attackers to bypass it too.
"Google responded by requiring all new Symantec certificates be publicly logged to Certificate Transparency. Symantec made a big show of firing the people supposedly responsible. Called it leadership. But they still look like the same old Symantec to me, up to their usual tricks!" claimed Ayer.
In response to Ayer's claims published on Mail-Archive.com, Symantec product manager Steve Medin admitted that the certificates had been wrongly issued.
"The listed Symantec certificates were issued by one of our WebTrust audited partners," said Medin.
He continued: "We have reduced this partner's privileges to restrict further issuance while we review this matter. We revoked all reported certificates which were still valid that had not previously been revoked within the 24 hour CA/B [certificate authority/browser] Forum guideline - these certificates each had "O=test". Our investigation is continuing," said Medin.
Google's stinging criticisms came after Symantec, and a number of other companies that issue digital certificates, were fingered for issuing SSL certificates to fraudsters running fake banking websites. µ
C3-PO, R2-D2, BB-8 and other Androids
Helpful cyber vigilante gets short changed by customer services
...you know, now it's less confusing...
Firm will no longer provide updates for its first Android mobe