Google Slams Symantec for Issuing Fake Web Certificates, Demands Answers

Advertisement
By Manish Singh | Updated: 30 October 2015 19:29 IST

Google is demanding that Symantec must conduct an assessment to ensure it is still eligible to run a certificate authority. The search giant's scathing statement comes after the security firm was found to have issued a large number of fake digital certificates.

In mid-September, upon Google's notification, Symantec revealed that its Thawte certificate authority (CA) issued an Extended Validation (EV) pre-certificate for several domains including Google's and Opera's. A total of 23 certificates were issued without the domain owners' knowledge. At the time, Symantec said that these certificates were only created for testing purposes, and were accidentally issued. Google found these domains in its Certificate Transparency system logs.

Advertisement

Following this discovery, Google asked Symantec to conduct a full audit. Upon investigation, Symantec reported an additional 164 bogus certificates spanning 76 domains, and an additional 2,400 test certificates for unregistered domains. The practice of issuing certificates for unregistered domains has been prohibited since April 2014.

In September, the security firm also fired a number of its employees for errors in issuing certificates. The company had said that "employee error" caused cryptographic certificates to be issued online.

Advertisement

The fake certificates, according to Google, make it possible for attackers to impersonate its as well as many other's websites, potentially leading to data theft and other cybercrimes. "It's obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency," wrote Ryan Sleevi, Software Engineer at Google in a blog post on Wednesday.

"In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner," he added.

Advertisement

Symantec seems to be downplaying the threat of the fake certificates. "In September, we were alerted that a small number of test certificates for Symantec's internal use had been mis-issued. We immediately began publicly investigating our full test certificate history and found others, most of which were for non-existent and unregistered domains," it said in a statement.

"While there is no evidence that any harm was caused to any user or organisation, this type of product testing was not consistent with the policies and standards we are committed to uphold. We confirmed that these test certificates have all been revoked or have expired, and worked directly with the browser community to have them blacklisted."

Advertisement

Google is not pleased, as you can imagine. The company wants Symantec to conduct a further investigation to find how it failed to meet the basic requirements. Symantec must comply with Google's demands if it wants to be trusted by Google for certificates. In addition it also requires Symantec, beginning June 1, 2016, to log all certificates with Google's Certificate Transparency mechanism.

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement

Related Stories

Popular Mobile Brands
  1. Airtel Confirms Mobile Hotspot Restriction on the Unlimited 5G Data Offer
  2. Oppo K15 Launch Date Confirmed; Key Specifications Revealed Ahead of Debut
  3. OnePlus Exits US, Europe, Continues Operations in India: 5 Things to Know
  4. iPhone 18 Pro Max Could Get a New Sony Sensor With Variable Aperture Tech
  5. Here's How Much the iQOO Z11 Lite Could Cost in India
  6. Airtel Revises Postpaid Portfolio, Removes Rs. 549 Individual Plan
  7. Lenovo Legion C700 Confirmed to Launch in August With 120Hz IPS Display
  1. Airtel Unlimited 5G Data Subscribers Cannot Share 5G Data via Mobile Hotspot, Company Confirms
  2. Lenovo Legion C700 Teased as a Cloud Gaming Handheld Ahead of August Launch
  3. Marvel's Wolverine Gets New Trailer That Will Play Ahead of Christopher Nolan's The Odyssey in Select Theatres
  4. Airtel Quietly Removes Rs. 549 Individual Postpaid Plan in India; Rs. 699 Plan Becomes Next Upgrade
  5. Poco M8 Power, Poco X8 India Launch Timeline Tipped; Could Arrive as Rebranded Redmi Note 17 Series
  6. Samsung Galaxy S25 Series Could Get Galaxy S26’s Horizontal Lock Camera Feature With One UI 9 Update
  7. Asus Pad India Launch Date Announced as Company Reveals Key Specifications
  8. iPhone 18 Pro Max Diagnostics Log Reportedly Reveals Variable Aperture Camera, Sony Sensor Upgrade
  9. Vivo X500 Ultra Leak Suggests Three 200-Megapixel Telephoto Sensors Under Testing
  10. iQOO Z11 Lite Price Range in India, Key Specifications Revealed Ahead of Official Launch
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.