Become a fan of Slashdot on Facebook


Forgot your password?
Google Security The Internet IT

Symantec Subsidiary Thawte Issues Rogue Google Certificates 103

New submitter jack_babylon writes: On September 14th, Symantec's subsidiary certificate authority Thawte accidentally released a "small number" of " "inappropriately issued" security certificates, apparently intended for internal testing only. However, the fact that these were logged in the wild by Google (and, apparently, DigiCert) seems to indicate that they escaped the lab, at least far enough for a false cert to raise the appropriate red flags. This sounds similar to the recent acts of poor judgement that got CNNIC's certs removed entirely from Firefox and Chrome, if more limited in scope and more quickly addressed (through, among other things, termination of some Symantec employees). (And like all reports one hopes go away quietly, these were released in the dead of a Friday night — h/t BoingBoing for noting this news.)
This discussion has been archived. No new comments can be posted.

Symantec Subsidiary Thawte Issues Rogue Google Certificates

Comments Filter:
  • by lesincompetent ( 2836253 ) on Saturday September 19, 2015 @07:23PM (#50558259)
    That's some very suspicious "testing", kids.
    What are you up to?
    Perhaps in bed with some three-lettered thugs?
  • Ha ha ha ha!

    We're all screwed.

  • by swell ( 195815 ) <jabberwock@po[ ] ['eti' in gap]> on Saturday September 19, 2015 @08:19PM (#50558543)

    From the summary: "...termination of some Symantec employees..."

    Is this the first time that individuals were held responsible for online negligence? What happens to a CEO or CIO when data on millions of people slips out due to negligence? Has anyone ever been fired before (not just a flunky, but a responsible executive)?

    The penalties for corporate irresponsibility are so small that there is no incentive to do the right thing. Actually, this case may be an exception because both Thawte and Symantec have a reputation to protect- they might actually fire an executive. The question remains (and you can ask the same of Wall Street criminals)- when has any executive ever paid for this kind of negligence?

    • by cdrudge ( 68377 )

      Ask Target's CIO Beth Jacob and CEO Gregg Steinhafel how secure their jobs were after Target had their breach.

    • by lucm ( 889690 )

      The question remains (and you can ask the same of Wall Street criminals)- when has any executive ever paid for this kind of negligence?

      Like, say, Enron people?

  • You had "one job" (Score:5, Insightful)

    by YrWrstNtmr ( 564987 ) on Saturday September 19, 2015 @08:32PM (#50558587)
    Security company dicking up the one thing they are supposed to be good at.
  • locate -i thawte|sudo xargs rm -rvf
    Jast as i did for diginotar and comodo
    you're not special bitches.
  • To apply for the job, please contact DICE Holding Inc.

    Really, the word salad in the second to the last sentence is making my eyes bleed. Is proper king's English now optional, on lazy Saturday nights, here?

  • Sure it's not a perfect fix but publishing the signatures of your ssl certs in DNS would care care of a lot of this low hanging fruit. A standard for cosigning your certs and pinning that cert would also help.

    The end effect is needing to break multiple vectors not any of a multitude of root level CA's.

  • by Antique Geekmeister ( 740220 ) on Saturday September 19, 2015 @09:41PM (#50558891)

    It's not that Google or Thawte have failed to correctly revoke certificates: it's that far too many people, at far too many sites and with far too many technologies, do not actually keep their signature authorities up-to-date. Because these people don't update signature authorities, they are unable to verify numerous valid certificates. These people then simply set their automated procedures, or make it their personal practice, to accept invalid certificates.

    The notable case of this I saw recently is RHEL 5, where the signature authority information in the /etc/pki files managed inside the openssl packages, and updating openssl on a live server is likely to cause fascinating problems for an old, stable, production server. RHEL 6 sensibly put the root SSL keys in a separate package, but it's certainly not an unusual problem.

  • by lucm ( 889690 ) on Saturday September 19, 2015 @09:58PM (#50558959)

    It's all good now. Employees have been fired and some guy on a Symantec blog said the internet was never at risk. We all can relax and enjoy life.

  • CAs are the problem (Score:4, Interesting)

    by jonwil ( 467024 ) on Saturday September 19, 2015 @11:22PM (#50559243)

    The problem is that any of the many entities your browser trusts can create a valid certificate for any domain and the browser will just accept it.

    What we need is to move away from CAs and adopt a new system for storing the information needed to make a web connection secure. Storing keys in DNS and using DNSSEC to secure that is one option. And there are others (although I can't actually remember any of them off the top of my head).

    If you have a situation where its impossible for anyone other than the actual owner of the domain to store a key, its not possible for a rogue CA (or a hacked CA ala DigiNotar or one that has been co-oped by a government or intelligence agency) to issue a bogus certificate or a bogus public key.

    What I dont get is why there is no real interest from the people who came up with these alternatives to push them particularly hard and why there is basically zero interest from the people and entities who write the software that the web runs on (browsers, servers etc) to make any moves towards using these new systems.

    • Two other strategies are certificate pinning and certificate transparency. For pinning, you declare that only a certain intermediary CA (or root CA) may sign certs for your domain. So Google basically declares that all * certs must be signed by the specified Google CA. This information can either be hardcoded in the browser (for major sites) or relayed the first time the browser contacts the domain. So with hardcoded pinning, only Google can sign their certs. With http-pinning, another C

  • []

    "I am seeing "certified by Thawte Consulting (Pty) Ltd when I point cursor to googlemail. Is it normal or fishy?"

  • by Tom ( 822 ) on Sunday September 20, 2015 @06:01AM (#50560249) Homepage Journal

    What needs to happen until a corporation is terminated?

    That is the main issue here. As human beings, we understand there are limits to what we can do before we face really serious consequences. I mean jail time, not monetary punishment. Money is simply an expense. It might hurt, even hurt a lot, but it is not on the same level as being locked up.

    Where is the jail time equivalent for corporations, and why do we continue to believe that we can somehow control them without it? To take back control of our worlds from corporations running amok over it, we need this.

    To fire a number of employees means something very seriously went wrong. It also means the corporation allowed it to go wrong. This could be rogue employees the way someone robbing a bank with your car had lied to you when borrowing it, saying he needs to visit his ill grandmother urgently. Or it could be that you gave a gun to an obviously unstable kid when he said he's going to school and he's angry. You really should have at least asked a few more questions before handing over the firearm.

    So what will happen to Thawte in response?

    • So what will happen to Thawte in response?

      I think that depends on what government had asked them to generate the fake cert for MITM purposes.

  • What's a Rogue Google, and why does it have a Certificate?

Thufir's a Harkonnen now.