In this way, it has allowed HTTPS-enabled Google domains to be impersonated by the wrong parties.
It has now been revealed that Symantec has fired several of its staff members after it was discovered that they had issued unauthorized Google certificates that allows potential attackers to be able to impersonate legitimate pages that have been protected by HTTPS.
The Symantec digital security company posted the news of the unauthorized certificate issuing in a recent blog post.
According to the company, “We learned on Wednesday that a small number of test certificates were inappropriately issued internally this week for three domains during product testing.” It also explained that all of the test Google certificates and the keys had always remained within the company’s control, and when the issue was identified, they were immediately revoked. “There was no direct impact to any of the domains and never any danger to the Internet.”
That said, they did terminate the employment of the people who misused the Google certificates in question.
The issue, itself, was identified by employees at Google, who had been monitoring an open framework called Certificate Transparency, which is a project that the company operates in order to be able to repair SSL certificate system structural flaws. Clearly, the system proved its worth in a new way in this specific situation, as Google was able to spot the unauthorized activity with regards to the certificates, nearly immediately.
Google then proceeded to communicate the issue to Symantec, and the two companies worked together to make certain that the pre-certificate remained active and valid for only a single day at the start of 2015. The certificate has since been blocked by way of an update to the revocation metadata through Chrome. Moreover, there isn’t any reason to believe that there was any risk to the security and privacy of Symantec’s website or product users at any point, as a result of this error.
Those responsible for the issue with the Google certificate are no longer employed with Symantec. That said, the company has now employed Dan Rogers as its new chief marketing officer. Rogers is the former CMO of Salesforce EMEA.