Symantec caught once again improperly issuing illegitimate HTTPS certificates

Roughly 16 months ago, Symantec was caught distributing improperly signed cryptographic certificates that could be used to break HTTPS protection and put users' at risk. Now, the company has been caught once again doing something similar -- even though such activity is directly against the agreements it made when caught breaking things last time.

HTTPS is a secure communication protocol built on the internet's Hypertext Transfer Protocol (http) with a connection that's encrypted via Transport Layer Security (TLS). The use of HTTPS for more than just web commerce has accelerated in recent years. But that security is only valid if both your system and the web server you connect to haven't been compromised or modified to accept invalid certificates as if they were valid.

There's a chain of trust intrinsic to the software -- the user trusts that his or her browser properly implements HTTPS, the certificate authorities (CAs) that issue certificates must be assumed to only issue valid ones, thus ensuring that when websites send over a valid HTTPS certificate, that certificate can be intrinsically trusted. The certificate itself is then trusted to validate that the website you are visiting matches the one in the certificate. There are multiple places where this chain of trust can be broken in ways that leave the end-user unable to trust that the seemingly valid HTTPS connection they've made is the one they intended to make.

According to security researcher Andrew Ayer(Opens in a new window), Symantec has issued 108 credentials in violation of strict industry guidelines that the organization agreed to abide by when it made this mistake back in 2015. Nine of the certificates were issued without the permission or knowledge of the affected domain orders, while the other 99 were issued to companies with obviously faked data, Ars Technica reports(Opens in a new window). Ayer writes: "I doubt there is an organization named "test" located in "test, Korea."

This is an issue because even though the certificates were revoked, in most cases within an hour of being issued, browsers don't necessarily check to see if a certificate has been recently validated for use. There are also techniques that a malware author can use to block a browser from confirming a certificate. In that case, other browsers may "fail open," meaning they allow data to be loaded from an illicit source rather than treating the server as hostile -- if the certificate's credentials can't be checked against a revocation list within a certain period of time.

Issues like this, and like the Superfish security scandal from several years ago, are part of why it's incredibly difficult to secure the Internet. But Symantec has been called out before for exactly this kind of security breach, and it wound up firing multiple employees last time. In fact, that's the reason the company got caught at all -- after its 2015 screw-up, Google required Symantec to log every certificate it issued from one of its Certificate Authorities.

Symantec has learned of a possible situation regarding certificate mis-issuance involving Symantec and other certificate authorities. We are currently gathering the facts about this situation and will provide an update once we have completed our investigation and verified information.