Technoglitch
Core Member
"Therefore, we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner."
If Symantec wants its certificates recognized by the Chrome web browser, Google has said the firm must update the original report with all the details and an explanation of what went wrong. This Symantec has now done (you can read it here), but the biz has more hoops to jump through if it wants Chrome to accept its certificates going forward.
Symantec will also need to give Google a detailed timeline for the process behind the creation of each certificate and a list of things it will do to make sure it doesn't happen again. Since this involves confidential information, Google won't be making that information public.
In addition, Symantec must hire a third-party security auditor to conduct a full audit and check that private keys have not been exposed and that auditing software works as specified. In addition, the auditors will ensure that Symantec is compliant in the following areas:
This will encourage web developers to avoid using Symantec-issued SSL certs for their HTTPS-encrypted websites, and similar services, dealing a damaging blow to Symantec.
Fuming Google tears Symantec a new one over rogue SSL certs • The Register
If Symantec wants its certificates recognized by the Chrome web browser, Google has said the firm must update the original report with all the details and an explanation of what went wrong. This Symantec has now done (you can read it here), but the biz has more hoops to jump through if it wants Chrome to accept its certificates going forward.
Symantec will also need to give Google a detailed timeline for the process behind the creation of each certificate and a list of things it will do to make sure it doesn't happen again. Since this involves confidential information, Google won't be making that information public.
In addition, Symantec must hire a third-party security auditor to conduct a full audit and check that private keys have not been exposed and that auditing software works as specified. In addition, the auditors will ensure that Symantec is compliant in the following areas:
- WebTrust Principles and Criteria for Certification Authorities
- WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security [PDF]
- WebTrust Principles and Criteria for Certification Authorities – Extended Validation [PDF]
This will encourage web developers to avoid using Symantec-issued SSL certs for their HTTPS-encrypted websites, and similar services, dealing a damaging blow to Symantec.
Fuming Google tears Symantec a new one over rogue SSL certs • The Register