Google raps Symantec over ‘fake web security certificate’ fiasco

Google has now issued a warning to security firm Symantec saying that the former needs to come clean on the whole fiasco of fake web security certificates

Google, Google Symantec, Google Symantec report, Symantec fake web security, Symantec web security, Symantec fake web certificates, Google vs Symantec, technology, technology news

Google has told Symantec to comply with the transparency guidelines on issuing web security certificates to websites.

After Symantec’s report that it had issued fake security certificates to websites without their knowledge including Google, the search giant has now issued a warning to the security firm saying that the former needs to come clean on the whole fiasco.

In a blogpost published by the Google Security team, the company says that after June 1, 2016, any certificate issued by Symantec itself will be required to support Certificate Transparency guidelines as laid down by Google.

Google’s blog post adds, “After this date, certificates newly issued by Symantec that do not conform to the Chromium Certificate Transparency policy may result in interstitials or other problems when used in Google products.”

Story continues below this ad

While Symantec has issued a report and revealed that “23 test certificates had been issued without the domain owner’s knowledge covering five organisations, including Google and Opera,” Google is not convinced. The search giant says it has found “more questionable certificates” being issued by Symantec. Read Symantec’s full report on the issue here.

[related-post]

An October report by Symantec had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered. Google says that their analysis shows that Symantec had no clue about these “additional certificates.”

Google has also specifically told Symantec that it has to provide a detailed list of steps they are taking to fix this issue and a timelime for the fix. The Google blogpost adds that they expect Symantec to go in for “Point-in-time Readiness Assessment and a third-party security audit”.

In September, ArsTechnica had reported that Symantec had “fired employees for issuing unauthorised cryptographic certificates that made it possible to impersonate HTTPS-protected Google webpages.”

Story continues below this ad

Symantec had written in a blogpost trying to explain the error, “All of these test certificates and keys were always within our control and were immediately revoked when we discovered the issue.” The blogpost claimed that there was no “direct impact to any of the domains.”

The problem with these fake certificates was that cyber criminals could have easily impersonated perfectly real and legal domains, resulting in data theft, phishing, etc.

Tags:
Google

Loading Taboola...

Air India safety violations, Air India show cause notices, Air India Boeing 787 crash, Air India London Gatwick crash, DGCA Air India inspections,

‘Unfortunate’: SC slams reports suggesting ‘pilot error’ led to Air India crash

Legal4 hr ago

The Supreme Court Monday issued notice on a plea seeking an independent and expeditious investigation into the June 12, 2025, crash of an Air India Boeing Dreamliner in Ahmedabad, which killed 260 people. The bench also termed as “unfortunate” media reports which indicated that “pilot error” was to blame for the crash, purportedly quoting some preliminary findings by the AAIB.

View all shorts

Live Blog