Independent researcher Andrew Ayer spotted Symantec once again improperly issuing 108 invalidated transport layer security certificates.
The credentials were in strict violation of industry guidelines with nine of the improper certs reportedly issued without the knowledge or permission of the affected domain orders and 99 were issued to companies with data that was obviously fraudulent, according to 19 January blog post.
Ayer reported the issue to the firm and was told by Symantec policy manager Steven Medin that the company was investigating and would report on the resolution, cause analysis, and corrective actions once they’re completed. Many of the improperly issued certifications were revoked within an hour of being issued but still represent a major violation on Symantec’s part.
While the investigation is still ongoing, a Symantec spokesperson said the certificates in question were issued by the firm’s of our WebTrust audited partners.
“We have restricted this partner’s issuance privileges while we continue to review this matter,” the spokesperson said. “While most of the listed certificates were already revoked by the partner, Symantec revoked all remaining valid certificates within the 24 hour CA/B Forum guideline. Our investigation is on-going.”
In 2015, Symantec terminated employees involved in issuing unauthorised HTTP certificates for Google webpages prompting Google to warn the firm to take additional steps on certificate verification.
The implications of the unauthorised certificates could have serious consequences for unsuspecting end users.
“There isn’t really anything for consumers to do to protect against this type of threat,” Tripwire Principal Security Researcher Craig Young said. “This is primarily a matter for the browser forum to respond with appropriate improved controls or sanctions.” He added that Symantec should only be issuing test certificates for domains that they own.
This article originally appeared at scmagazineuk.com
[relatedYouTubeVideos relation=”postTitle” max=”1″ class=”horizontal center bg-black”]