> It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency.<p>Symantec said they did an audit, Google spent 'a few minutes' and found many more mississued certificates just from the CT logs. In other words, Symantec can't audit themselves, so Google now require public issuance logs for all their certificates.<p>> [Google] expect Symantec to undergo a Point-in-time Readiness Assessment and a third-party security audit.<p>This is a massive (and justifiable) smack in the face to Symantec.<p>Disclaimer: we're a Symantec competitor, as you may have realised:<p><a href="https://certsimple.com/blog/seal-in-search" rel="nofollow">https://certsimple.com/blog/seal-in-search</a><p><a href="https://certsimple.com/blog/sgc-ssl-certificates" rel="nofollow">https://certsimple.com/blog/sgc-ssl-certificates</a>
Days after the initial reports of rogue certificates being issued, Symantec wrote in their blog that they had already fired employees:<p><i>In addition, we discovered that a few outstanding employees, who had successfully undergone our stringent on-boarding and security trainings, failed to follow our policies. Despite their best intentions, this failure to follow policies has led to their termination after a thoughtful review process... At the end of day, we hang our hats on trust, and that trust is built by doing what we say we’re going to do.</i><p><a href="http://www.symantec.com/connect/blogs/tough-day-leaders" rel="nofollow">http://www.symantec.com/connect/blogs/tough-day-leaders</a><p>It's starting to look now like this the fault of systemic flaws at Symantec, and not just a few employees who didn't follow procedure.
It makes me* uncomfortable that Google has effectively appointed themselves as the internet police and using their power to push people around like this. But at the same time, there is nobody else (?) who is taking care of this, and I suppose the good of someone/<i>anyone</i> looking into and taking action on the sorts of serious problems that Symantec has exhibited probably outweighs my discomfort.<p>* Disclaimer: Google employee, no connection to any of this cert stuff.
A clear example of too big to fail. If this was any smaller CA (like cnnic before), they would now be gone from the trusted roots.<p>I wonder what's coming out of this. Personally, I think Symantec doesn't care in the least about Google's sabre rattling here. It's clear to everybody that Google hardly wants to release a browser which doesn't display 50% of the encrypted web sites.<p>This is a further issue with the current PKI: too few CAs are around (after symantecs buying spree lately) which gives them way too much power to do what ever they want. Furthermore, the process of acquiring a certificate (especially an EV one) makes switching CAs very burdensome, so not even bad reputation will compel people to leave.<p>What a mess.
>Symantec performed another audit and, on October 12th, announced that they had found<p>>an additional 164 certificates over 76 domains and 2,458 certificates issued for<p>>domains that were never registered.<p>:|
I don’t know much about how the CA system works, but “there’s something fishy going on with this CA” in conjunction with “starting with June 1st 2016” is not very reassuring.
To state the obvious (again) the third-party based trust system underlying TLS is broken. It places a massive amount of faith in a large crowd of human beings (the collective employee populations of all the CA's in the world) to behave with absolute rectitude and discipline for years and years without fail.<p>The sad part is that all of us, collectively, trust pretty much our entire financial lives and other matters requiring secrecy and authentication to this system everyday. It's mind-boggling how we came to be in this situation. How did the entire society, including very very smart security experts came to vouch for and blindly trust this system?
DNS certs would be better <a href="https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities" rel="nofollow">https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Na...</a>
This reminds me of <a href="https://www.agwa.name/blog/post/how_to_responsibly_misissue_a_cert" rel="nofollow">https://www.agwa.name/blog/post/how_to_responsibly_misissue_...</a>
This is terrible. This is sad. Is it any wonder so many people have no faith in Government, in the Financial system? How much of the system we take for granted is corrupt? I'm not intending to be negative, I know I am. But for Pete's sake. This sucks sucks sucks.