jeudi 29 octobre 2015

Google demands Symantec grovel over security certificate fiasco or risk the consequences

ransom_note

Google has fired warning shots at Symantec, threatening that Chrome would start to flag the company's security certificates as unsafe. The threat comes in a blog post penned by Google software engineer Ryan Sleevi who is still seething after Symantec employees issued a number of unauthorized security certificates.

Some of the certificates were owned by Google -- including Google.com -- and a Symantec-led audit suggested that the problem affected just 23 test certificates. But further probes revealed that there were in fact more than 2,500 certificates involved. Google is understandably fuming and is now holding Symantec to ransom.

Citing concerns that Symantec was initially unable to determine the scale of the problem, Google has issued an ultimatum. Initially, Symantec is being asked to perform a postmortem and find out why its initial audit failed to detect issues with certificates that Google unearthed. Google is also looking for an expansion on Symantec's report into the issue in which "details of each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure" are expected.

Failure to meet Google's demands will have dire consequences, as Sleevi explains:

It's obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner.

After this date, certificates newly issued by Symantec that do not conform to the Chromium Certificate Transparency policy may result in interstitials or other problems when used in Google products.

Google's shopping list of demands also states that Symantec needs to provide details about the corrective measures that have been taken to rectify each of the identified failures, and reveal the root cause of each failure. A third-party audit of Symantec's security is then requested to ensure full compliance with certification standards.

Symantec has responded by saying:

In September, we were alerted that a small number of test certificates for Symantec’s internal use had been mis-issued. We immediately began publicly investigating our full test certificate history and found others, most of which were for non-existent and unregistered domains. While there is no evidence that any harm was caused to any user or organization, this type of product testing was not consistent with the policies and standards we are committed to uphold. We confirmed that these test certificates have all been revoked or have expired, and worked directly with the browser community to have them blacklisted. To prevent this type of testing from occurring in the future, we have already put additional tool, policy and process safeguards in place, and announced plans to begin Certificate Transparency logging of all certificates. We have also engaged an independent third-party to evaluate our approach, in addition to expanding the scope of our annual audit.

The warnings issued by Google are stark; Symantec simply cannot afford to ignore them. The company is going to have to eat some humble pie and publicly admit to every one of its failings to placate the search giant.

Photo credit: Fabio Alcini / Shutterstock



Aucun commentaire:

Enregistrer un commentaire