Symantec fires employees who issued rogue Google certificates

Symantec has fired several employees that have been involved in the issuing of rogue certificates for some Google domains.

“We learned on Wednesday that a small number of test certificates were inappropriately issued internally this week for three domains during product testing,” Symantec’s VP of Engineering Quentin Liu has announced on Friday.

“All of these test certificates and keys were always within our control and were immediately revoked when we discovered the issue. There was no direct impact to any of the domains and never any danger to the Internet. Further, we are in the process of proactively notifying the domain owners and our major partners.”

One of these testing certificates leaked on the Internet, as it was flagged by Google.

According to Stephan Somogyi and Adam Eijdenberg, Security & Privacy PM and Certificate Transparency PM at Google, respectively, Symantec’s Thawte-branded CA issued an Extended Validation (EV) pre-certificate for the domains and on September 14.

“We discovered this issuance via Certificate Transparency logs, which Chrome has required for EV certificates starting January 1st of this year. The issuance of this pre-certificate was recorded in both Google-operated and DigiCert-operated logs,” they explained.

“We have updated Chrome’s revocation metadata to include the public key of the misissued certificate. Additionally, the issued pre-certificate was valid only for one day,” they noted, adding that they do not believe that the security and privacy of Google users were at risk, i.e. that the certificates weren’t used for attacks.

According to Liu, the now terminated employees failed to follow the company’s policies regarding the issuing of certificates.

Symantec has obviously chosen to take a hard stance on this in order to preserve the trust in its Certificate Authority.

Don't miss