Sometime back, Symantec revealed it has issued fake security certificates for numerous web domains which includes Google. The unhappy Google wants Symantec to disclose all certificates issued by its SSL business going forward, after what Google considers a botched investigation into how Symantec employees issued SSL certificates for domain names that the company did not own.
Also, Google is asking Symantec to explain that reason for not catching some of the fake certifictes, the causes behind each slip-up and other faulty things done. It is asking for a detailed report of how the incident was investigated.
Symantec acquired Verisign’s authentication business unit in 2010 after which it became one of the largest certificate authorities (CAs) in the world. Such organizations are trusted by browsers and operating systems to issue digital certificates to domain owners which are then used to encrypt online communications. It was in September that Google realized that Symantech had issued a pre-certificate for google.com without its knowledge. The certificate was an Extended Validation EV which shocked Google even more.
Google maker also wants Symantec to report all the certificate it issues, not just the EV ones, to the CT log in the future.
“While there is no evidence that any harm was caused to any user or organization, this type of product testing was not consistent with the policies and standards we are committed to uphold,” a Symantec representative said in an emailed statement Thursday. “We confirmed that these test certificates have all been revoked or have expired, and worked directly with the browser community to have them blacklisted.”
Symantec’s representative said, it has put on additional tools, policies and procedures in avoid such events happening again in future and has engaged a third party to evaluate their effectiveness. Anyhow, Google is not ready to take its word. It want the company to undergo a third-party security audit in order to verify its claims.