Developing and implementing cryptographically secure systems is hard. Symantec was reminded just how hard it can be based on an announcement they quietly made last Friday (September 18). According to Symantec’s Quentin Lin and Charlene Mike-Billstrom, 3 SSL certificates were accidently released internally. While the announcement attempts to downplay the significance of this leak, it should be noted that multiple employees were fired for this accident.
Additional details about the accident have been provided by a separate announcement from Google. This post explains that Symantec’s Thawte unit issued new, unrequested certificates for www.google.com and google.com. Google’s Chrome web browser detected this via Chrome’s use of Certificate Transparency logs for Extended Verification certificate logs—which seems to indicate that these certificates may have been released publicly in some capacity. However, Google’s staff feels that the creation of these certificates had no ill-effect, as they were only valid for 1-day before detection. Symantec maintains that these certificates remained within a testing environment. It is not clear to what domain the third certificate belonged.
Google’s attempt to provide reassurance notwithstanding, commentary to Symantec’s post has been decidedly negative. Respondent “IanBFarquhar” notes that Symantec “failed to disclose the sites for which these certificates were issued” and “more transparency around how [this incident] happened is due”.
Respondent “frenchdiver” points out that:
“you clearly used customer sensitive material for internal use/testing. Why is this even possible and why is this subject to human judgment??... this post seems to imply that "hey somethig bad happened, but actually, it's because some of our employees did bad stuff. So we fired them. All is good now". How in the world is saying this exhibiting any leadership??”
Cory Doctorow explains that what makes this release more worrisome is that since the certificates were marked Extended Verification, in theory Symantec had done “extra homework” to validate that it truly was as an official certificate for Google. Thus is it is all the more concerning that these certificates based around this heightened awareness were compromised.