Symantec is an unbelievably bad certificate authority.
-
-
For context, in 2015 Google caught Symantec issuing trusted SSL certs for other people's domains for testing, without authorization.
-
This is a HUGE no-no. There are very specific rules certificate authorities must follow to verify that a certificate request is authorized.
-
Even if the certs were only for testing, if a system allows employees to bypass authorization, it will allow attackers to bypass it too.
-
Google responded by requiring all new Symantec certificates be publicly logged to Certificate Transparency.
-
Symantec made a big show of firing the people supposedly responsible. Called it leadership.
-
But they still look like the same old Symantec to me, up to their usual tricks!
-
Symantec is, BTW, the same CA which keeps needing "exceptions" so they can issue SHA-1 certificates and do other legacy forbidden things.
-
Reminder: Symantec, GeoTrust, Thawte, RapidSSL are all the same. Some Symantec certs say Verisign because they bought Verisign's CA biz.
-
If you own a domain, you might be able to set up a CAA record that excludes Symantec: https://sslmate.com/labs/caa
-
Even better, monitor
#CertificateTransparency so you know if a cert is misissued for one of your domains. CT is how I found these certs. -
Cert Spotter (made by me) https://sslmate.com/certspotter/ and https://crt.sh are tools you can use to monitor
#CertificateTransparency logs
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.