Symantec purges employees after unauthorised use of Google SSL certificates

Symantec have fired several staff members after they created unauthorised and potentially malicious Google SSL certificates

Symantec employees sacked for issuing false Google SSL certificates
Symantec employees sacked for issuing false Google SSL certificates

Global cyber-security giant, Symantec, has dismissed several staff members after they were caught issuing fake Google SSL certificates.

The alert went up when members of Google's Certificate Transparency Project, an organisation which was founded when 500 false certificates were created by hackers in 2011, discovered a fake Google certificate.

The false Google certificates could have been used for multiple questionable practices including using them to imitate secure Google sites as well as “to intercept and decrypt passwords, login cookies, and other encrypted traffic to and from Google,” according to tech website, The Register.

Thawte, a subsidiary of Symantec, produced a number of security certificates for internal testing which, according to a blog post by Google, were “neither requested nor authorized by Google”.

Symantec said the rogue certificate was valid for only one day, and Google have stated it does not believe the certificates have been used in attacks.

In a statement to SCmagazineUK.com, Symantec said that the certificates “did not leave Symantec's secure testing labs, and did not affect the security or privacy of any user or organization”. The statement added that, “As a leading certificate authority, we hold ourselves to the highest standards and this type of testing was a violation of our own internal policies. We are putting even stronger safeguards in place to prevent an issue like this from occurring again.”

While the momentary problem has been contained, what might this mean for the future of Symantec, Google, or merely the process of policing false SSL certificates?

Kevin Bocek, VP of security strategy and threat intelligence at Venafi, seemed nonplussed at the discovery when he spoke to SC. "Rogue SSL certificates in the wild? This is nothing new. Certificate Authorities (CAs) are constantly being bombarded to issue new certificates for bad guys looking to spoof websites and execute Man-in-the-Middle attacks."

Bocek added that while the certificates weren't being used for malicious means, “With the use of more encryption, organisations everywhere are going to be requesting more certificates so these rogue certs are going to get through.” Bocek also expressed concern for smaller organisations than Google and Symantec: “Larger CAs like Symantec and their CA brands probably have great fraud programmes and good teams, but how about the other 200 or more CAs that don't have the same level of security controls?”

Guy Bunker, senior vice president of products and a cyber-security expert at Clearswift, expressed more concern about the revelation when he spoke to SC: “This is another example of 'the enemy within' and highlights that even a business like Symantec which takes security incredibly seriously can fall foul of rogue insiders. Businesses must tread a very fine line between keeping an eye on what their staff are up to and not invading their privacy.”