The investigation proves Symantec had issued SSL Certificates to organizations that are devoid of authorization. Symantec has been asked to disclose all the SSL certificates issued by its employees to its company that hadn’t a name on its own.
Symantec the don of the Internet security world after it ran into an acquisition of Verisign’s authentication business in 2010, ruled the world of certificate authorities. Symantec has always been considered trusted by the browsers in correspondence to the issuance of SSL Certificates to domain owners to encrypt the transactions involved online.
Google.com was issued with a pre-certificate from Symantec, which was actually known to be Extended Validation SSL Certificate that requires the security firm to pull out the roots of the company’s authentication in place to prove ownership and identity of the domain. But Symantec proved it wrong by issuing the SSL Certificate unknowingly without any extensive verification on the same.
Google adheres Chrome browser policies – for which it requires Certificate Authorities to provides the validation details of the EV SSL Certificates they issue on a public audit log which is part of Certificate Transparency. This is the reason how Symantec was caught red handed. The initial investigation of Symantec has identified 23 test certificates that has issued for domains which is a part of Opera, Google and three remains unknown.This raises questions on Symantec’s internal audit
To show it a response, Symantec started investigating on the same that unveiled extra 164 test certificates which was issued for 76 unauthenticated domains and 2,458 certificates that was issued for unregistered domains.
Google requests Symantec to now explain in detail about the causes of such violation of the framed industry policies. Google also requests Symantec to report all the certificate that it issues to the Certificate Transparency log henceforth. Symantec has also agreed to the browser maker’s norms and has reported its plan to reinforce Certificate Transparency for all its SSL Certificate that it is going to issue.
With all that in place Google requests Symantec to perform a third party security audit by any chance – that the Symantec employees have no access to generate the private keys to stay out of their control. It also requires the audit logs of Symantec to be tamper proof.