Fake SSL Certificates Issued by CA

Wednesday, September 23, 2015 @ 12:09 PM gHale

Google engineers found rogue SSL certificates issued in its name from Symantec, so as a result the security vendor let go of three workers.

SSL certificates are a vital technology through which browsers and Web service providers create a secure and authorized channel of communication.

Code Signing Keys Publish Accidentally
VMware Fixes vCenter Server Hole
Cisco Working on Security Appliances Holes
Malware Strikes iOS Devices

They are a common practice in securing communications between users and just about any recipient they are looking to communicate with that wants protection.

Responsible for issuing these certificates is a Certificate Authority (CA). There are numerous CAs around the world, all of which end up trusted by browser makers to issue certificates to authorized and trustworthy clients only. One of those CAs is Symantec.

Google’s engineers working for Certificate Transparency, a project that double checks for rogue SSL certificates used in the wild, found September 18 a series of fake Google.com SSL certificates issued by Symantec. DigiCert technicians also found the certificates in their logs.

In addition, the certificates also had an “extended validation” label, which means Symantec, in theory, carried out extra checks on the client that requested the certificates to validate its real identity, according to a Boing Boing post.


Google blacklisted the certificates in question. Since they were only out there for a day, Google and Symantec don’t believe they ended up used in any attacks.

If hackers had had more time, they could have used the certificates in man-in-the-middle attacks, which could allow the bad guys to intercept secure communications between users and Google-operated services, like Gmail, Google+, and YouTube.

In 2011, Dutch-based CA Diginotar suffered a hack and attackers issued hundreds of fake certificates.

According to Symantec’s statement, the company said these certificates ended up issued for tests inside the company, and immediately revoked when Google notified them of the leak.

“We discovered that a few outstanding employees […] failed to follow our policies,” said Quentin Kiu of Symantec. “Despite their best intentions, this failure to follow policies has led to their termination after a thoughtful review process. […] As much as we hate to lose valuable colleagues, we are the industry leader in online safety and security.”