Google wants Symantec investigated and threatens legal action, asking the company to disclose the certificates issued by its SSL business. Google is asking for additional investigations into how Symantec employees issued SSL certificates for domain names that did not belong to the company.
The reaction follows a security investigation ran by Symantec last year. The company looked into a security flaw in Google Drive which allowed hackers and scammers to obtain Google clients personal information using fake Google Drive documents and asking users for phone numbers or email and password information.
Symantec claimed the flaw was fixed last year, after the company discovered scammers were using a fake login page hosted on actual Google servers and served on SSL and managed to thus look very convincing. Google then published a statement assuring clients that the problem no longer exists but Malware Intelligence Analyst Chris Boyd stated that the issue still has not been completely fixed.
It now seems that Google discovered the security company also issued a pre-certificate for google.com without its knowledge. The certificate was an EV or an Extended Validation certificate so it was supposed to require extensive verification and identity and ownership of the domain in order for it to be issued.
After the incident Symantec concluded that the respective certificates were issued during product testing and that they had never gone beyond the organization. As a result of their investigation the company fired several employees for failing to follow internal policies.
Despite Symantec’s original internal investigation which identified 23 certificates issued for domains belonging to Google and other organizations, Google was later also able to find other unauthorized certificates which Symantec failed to identify.
As a response Symantec re-opened the investigation and found another 164 faulty certificates issued for 76 domains that did not belong to them, as well as 2,458 certificates made for domains that had not been registered.
As a result of the security company’s multiple failures to identify unauthorized practices within their own team and viewing Symantec’s investigation as being faulty at least, Google has now asked that Symantec publish a detailed analysis of the failed process of identifying the incorrect certificates during their original investigation. It is also demanding an in-depth look at the causes for each violation of the industry policies, as well as an explanation as to why they happened.
Symantec has started using additional tools and procedures in place in order to assure that similar incidents do not happen again and has hired a third party to evaluate their effectiveness. However, Google is still asking the company to undergo a third party audit to verify the company’s security and assure that its audit logs are well protected against future intrusion.
Image source: www.pixabay.com