Symantec is an unbelievably bad certificate authority.
-
-
Replying to @__agwa
It looks an awful lot like Symantec never stopped using other people's domains for testing: https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg05455.html …
1 reply 9 retweets 12 likes -
Replying to @__agwa
For context, in 2015 Google caught Symantec issuing trusted SSL certs for other people's domains for testing, without authorization.
2 replies 0 retweets 1 like -
Replying to @__agwa
This is a HUGE no-no. There are very specific rules certificate authorities must follow to verify that a certificate request is authorized.
1 reply 0 retweets 1 like -
Replying to @__agwa
Even if the certs were only for testing, if a system allows employees to bypass authorization, it will allow attackers to bypass it too.
1 reply 0 retweets 0 likes -
Replying to @__agwa
Google responded by requiring all new Symantec certificates be publicly logged to Certificate Transparency.
1 reply 0 retweets 1 like -
Replying to @__agwa
Symantec made a big show of firing the people supposedly responsible. Called it leadership.
1 reply 0 retweets 0 likes -
Replying to @__agwa
But they still look like the same old Symantec to me, up to their usual tricks!
1 reply 0 retweets 0 likes -
Replying to @__agwa
Symantec is, BTW, the same CA which keeps needing "exceptions" so they can issue SHA-1 certificates and do other legacy forbidden things.
1 reply 4 retweets 8 likes
Reminder: Symantec, GeoTrust, Thawte, RapidSSL are all the same. Some Symantec certs say Verisign because they bought Verisign's CA biz.
-
-
Replying to @__agwa
If you own a domain, you might be able to set up a CAA record that excludes Symantec: https://sslmate.com/labs/caa
1 reply 2 retweets 2 likes -
Replying to @__agwa
Even better, monitor
#CertificateTransparency so you know if a cert is misissued for one of your domains. CT is how I found these certs.1 reply 3 retweets 2 likes - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.