Worse yet: these were extended validation (EV) certificates issued to a brash young startup you might have heard of named Google.
To Symantec’s credit, heads did roll and remedial action was taken – but in a textbook example of how security breaches are always worse than first reported, the “small number” of rogue certs found in their internal investigation was off by a couple of powers of ten.
Google seems a mite vexed, partly because the (much) larger number of rogue certs was unearthed by Google themselves, and only after Symantec’s all-done, nothing-to-see-here report was released. Using only their own Certificate Transparency (CT) logs and minimal legwork the number ballooned from 23 certs issued for three domains to several thousand issued for 76 existing domains, or (more often) to domains which don’t actually exist.
Google’s now asking Symantec why exactly they missed over 99 percent of these rogue certs in their first internal audit, and also suggesting that they might want to bring in some outside auditors to re-assess what went wrong and where.
They’re also going to require all Symantec certificates to support CT as of June 1, 2016, while ominously noting that that they “may take further action as additional information becomes available”.
Image: “Olympe gouges” by Mettais – Mettais. Licensed under Public Domain via Wikimedia Commons