Symantec has been forced to revoke another batch of mis-issued certificates after a security researcher last week revealed his discovery of multiple suspicious looking certs.
Product manager Steve Medin claimed on Saturday that the certificates in question were issued by one of the security giant’s WebTrust-audited partners.
“We have reduced this partner's privileges to restrict further issuance while we review this matter,” he added. “We revoked all reported certificates which were still valid that had not previously been revoked within the 24-hour CA/B Forum guideline - these certificates each had ‘O=test’. Our investigation is continuing.”
Earlier, SSLMate founder, Andrew Ayer, flagged the discovery of over 100 HTTPS certs likely to have been mis-issued by Symantec, in probable violation of browser guidelines.
These included several connected to the example.com domain, and multiple “suspicious” certificates containing the word “test” – although many had already been revoked by the time Ayer discovered them.
However, Chrome doesn’t immediately check certificate revocation, meaning a revoked cert could still be used in an attack, Ayer told Ars Technica. In other cases, attackers could apparently win by preventing the browser from contacting the revocation server.
The revelations could be another big blow for Symantec’s reputation in this area, following a major incident in 2015 which led to the sacking of several employees.
On that occasion, Google spotted that Symantec CA subsidiary Thawte issued unauthorized certificates for several domains.
Then a month later the security firm found over 160 rogue certificates had been issued without its permission.
That’s why, as of 1 June 2016, all Symantec-issued certificates have been required to support Google’s Certificate Transparency standard for easier logging.
That requirement very likely revealed this new apparent certificate snafu.
The integrity of the certificate-issuing process is paramount as hackers are increasingly willing and able to abuse the system to sneak through malware and launch attacks.