30 Jan

Symantec, Illegitimate Certificates & Why We Should Care

In 2015, Symantec was caught issuing improperly signed cryptographic certifications which could be used to break HTTPS and put internet users at risk. Some of the improperly issued certificates were issued to Google owned domains, which if used maliciously, could allow for impersonation of HTTPS protected Google websites.

Understandably, Google was very upset and responded by requiring Symantec to publicly log all certificates it issued for scrutiny by the security community, else Google threatened to retool its popular web browser, Google Chrome to flag all Symantec issued certificates as potentially unsafe. This would undoubtedly lead to many websites opting to drop Symantec for another Certificate Authority.

Nearly a year and a half since Symantec’s transgressions, it appears the popular Certificate Authority is at it once again, caught issuing 108 certificates in violation with strict industry guidelines for issuing cryptographic certificates.

Google Chrome's Certificate Error Alert

Google Chrome’s Certificate Error Alert

Understanding Why Any of This Matters

The internet was not designed with security in mind. Before the development of secure transmission protocols, all data was passed back and forth between websites unencrypted and easily deciphered by any third party able to intercept the data (similar in nature to wire taps on telephone lines).

To ensure both the confidentiality and integrity of data being passed back and forth between an end user and a website, encryption is necessary, but encrypting data passing from one party to another is not enough. There must also be a way to authenticate that the website you wish to create a secure connection with is who it says it is.  The need to authenticate the identity of websites to end users is a major reason why Certificate Authorities are so important.

A Quick Overview of How the Authentication Process Works

A certificate binds a public encryption key to an identity. At a minimum, the certificate offers Domain Validation, but some organizations may opt for further authentication of their identity on the web and obtain Organization Validation or even further, Extended Validation. (Read more about the differences between Cert types here.)

Domain Validation is quick and typically an automated process, but for an organization to obtain Organization Validation or Extended Validation, the Certificate Authority is expected to perform additional investigation into the organization requesting the Certificate, verifying identity with both the requester and independent third parties.  Once verified, the Certificate Authority issues a cryptographically signed certificate created using a secret cryptographic key which only the Certificate Authority should have access to (meaning it should be impossible for the certificate to be forged).

Organization VS Extended Validation Certificate Comparison

Organization VS Extended Validation Certificate Comparison

Intrinsic Trust of Certificate Authorities and the ‘Web of Trust’

Our computers and smartphones are preconfigured to trust any certificates issued by a long list of Certificate Authorities. Industry best practices dictate that any organization acting as an official Certificate Authority follow the WebTrust guidelines for Certificate Authorities, which include verification of the identity of therequester of a Certificate prior to the certificate’s issuance. This concept of intrinsic trust between end users and Certificate Authorities is referred to as the “Web of Trust” in cryptographic terms.

Intrinsically Trusted Certificates in Windows 10

Intrinsically Trusted Certificates in Windows 10

Symantec Broke the ‘Web of Trust ‘

When Symantec issued Organization Validated certificates which Google never authorized for Google owned websites, Symantec broke the Web of Trust. A malicious entity could leverage these certificates to create a forged malicious website that looks identical to a legit Google website, and our computers would never know the difference.

It will be interesting to see how the industry responds to the latest careless behavior by Symantec. It might be possible that Google and the other browser publishers respond by warning users anytime they visit a site with a certificate published by Symantec, which would definitely hurt the organization’s business.

Please leave any questions, comments or corrections you might have!

Leave a Reply