::Trend Micro Threat Resource Center::

25 September 2015

Symantec Sacks Staff After Issuing Unauthorized Google Certs

Symantec has been forced to sack several employees after Google spotted that the firm’s CA subsidiary Thawte issued unauthorized certificates last week for several domains. The certificates made it possible to impersonate HTTPS-enabled Google domains.


The Extended Validation (EV) pre-certificate for the domains google.com and www.google.com were issued as part of a Symantec internal testing process, Google claimed in a blog post.

The web giant added:

“This pre-certificate was neither requested nor authorized by Google. We discovered this issuance via Certificate Transparency logs, which Chrome has required for EV certificates starting January 1st of this year. The issuance of this pre-certificate was recorded in both Google-operated and DigiCert-operated logs.”

Symantec revealed in its own blog post on the matter that the “small number” of unauthorized certificates it issued actually linked back to three domains.

It argued that these test certs were “always within our control” and that they were immediately revoked as soon as the issue was discovered.

The security giant added:

“While our processes and approach are based on the industry best practices that we helped create, we have immediately put in place additional processes and technical controls to eliminate the possibility of human error. We will continue to relentlessly evolve these best practices to ensure something like this does not happen again.”

Symantec also revealed that it had “terminated” a few employees after they failed to follow its own internal best practices around issuing certificates.

“Because you rely on us to protect the digital world, we hold ourselves to a ‘no compromise’ bar for such breaches. As a result, it was the only call we could make,” it said.

Google said it has updated Chrome to recognize the “mis-issued” certificate – which was only valid for a day anyway.

In April this year Google took the unprecedented step of ceasing to recognize the CAs of China’s .cn operator, the government-run CNNIC.

It emerged that a CNNIC-approved intermediate certificate authority, Egyptian firm MCS Holdings, had issued unauthorized digital certificates for some Google domains inside its test network.