It looks an awful lot like Symantec never stopped using other people's domains for testing: https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg05455.html …
-
-
-
For context, in 2015 Google caught Symantec issuing trusted SSL certs for other people's domains for testing, without authorization.
-
This is a HUGE no-no. There are very specific rules certificate authorities must follow to verify that a certificate request is authorized.
-
Even if the certs were only for testing, if a system allows employees to bypass authorization, it will allow attackers to bypass it too.
-
Google responded by requiring all new Symantec certificates be publicly logged to Certificate Transparency.
-
Symantec made a big show of firing the people supposedly responsible. Called it leadership.
-
But they still look like the same old Symantec to me, up to their usual tricks!
-
Symantec is, BTW, the same CA which keeps needing "exceptions" so they can issue SHA-1 certificates and do other legacy forbidden things.
-
Reminder: Symantec, GeoTrust, Thawte, RapidSSL are all the same. Some Symantec certs say Verisign because they bought Verisign's CA biz.
-
If you own a domain, you might be able to set up a CAA record that excludes Symantec: https://sslmate.com/labs/caa
-
Even better, monitor
#CertificateTransparency so you know if a cert is misissued for one of your domains. CT is how I found these certs. -
Cert Spotter (made by me) https://sslmate.com/certspotter/ and https://crt.sh are tools you can use to monitor
#CertificateTransparency logs
End of conversation
New conversation -
-
-
Can you share an example of what they have done, or not done?
- End of conversation
New conversation -
-
-
Case ID 413-850-724. Hilarious, although not at the time, Life lesson, never work with or trust Symantec with anything. ever
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@munin Symantec is unbelievably bad- FTFYThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.