Google has read the riot act to Symantec, scolding the security biz for its slapdash handling of highly sensitive SSL certificates.
In September it emerged that Symantec's subsidiary Thawte generated a number of SSL certs for internal testing purposes.
One of these certificates masqueraded as a legit cert for Google.com, meaning it could be used to trick web browsers into thinking they had connected to Google's site when really the browser had connected to a potentially malicious server.
The Chocolate Factory discovered the rogue cert using its Certificate Transparency project, and it was furious: Google never gave Thawte permission to generate the certificates, and was irked by Symantec's sloppiness.
"Therefore, we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner."
If Symantec wants its certificates recognized by the Chrome web browser, Google has said the firm must update the original report with all the details and an explanation of what went wrong.
Fuming Google tears Symantec a new one over rogue SSL certs • The Register
In September it emerged that Symantec's subsidiary Thawte generated a number of SSL certs for internal testing purposes.
One of these certificates masqueraded as a legit cert for Google.com, meaning it could be used to trick web browsers into thinking they had connected to Google's site when really the browser had connected to a potentially malicious server.
The Chocolate Factory discovered the rogue cert using its Certificate Transparency project, and it was furious: Google never gave Thawte permission to generate the certificates, and was irked by Symantec's sloppiness.
"Therefore, we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner."
If Symantec wants its certificates recognized by the Chrome web browser, Google has said the firm must update the original report with all the details and an explanation of what went wrong.
Fuming Google tears Symantec a new one over rogue SSL certs • The Register