Symantec is an unbelievably bad certificate authority.
-
-
This is a HUGE no-no. There are very specific rules certificate authorities must follow to verify that a certificate request is authorized.
-
Even if the certs were only for testing, if a system allows employees to bypass authorization, it will allow attackers to bypass it too.
-
Google responded by requiring all new Symantec certificates be publicly logged to Certificate Transparency.
-
Symantec made a big show of firing the people supposedly responsible. Called it leadership.
-
But they still look like the same old Symantec to me, up to their usual tricks!
-
Symantec is, BTW, the same CA which keeps needing "exceptions" so they can issue SHA-1 certificates and do other legacy forbidden things.
-
Reminder: Symantec, GeoTrust, Thawte, RapidSSL are all the same. Some Symantec certs say Verisign because they bought Verisign's CA biz.
-
If you own a domain, you might be able to set up a CAA record that excludes Symantec: https://sslmate.com/labs/caa
-
Even better, monitor
#CertificateTransparency so you know if a cert is misissued for one of your domains. CT is how I found these certs. -
Cert Spotter (made by me) https://sslmate.com/certspotter/ and https://crt.sh are tools you can use to monitor
#CertificateTransparency logs
End of conversation
New conversation -
-
-
Im very interested to hear from Symantec how this has happened.This + 2015 event indicates they may not have proper systems in place
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.