
Improved Digital Certificate Security - oxplot
http://googleonlinesecurity.blogspot.com/2015/09/improved-digital-certificate-security.html
======
dguido
Symantec fired everyone responsible, damn:

[http://www.symantec.com/connect/blogs/tough-day-
leaders](http://www.symantec.com/connect/blogs/tough-day-leaders)

~~~
deftnerd
Ouch. Sure they screwed up, but this has to be really rough for them.

If any of you guys read this, send me a message. I'm not in a position to hire
anyone, but I'm working out the details of a non-profit service that could use
your expertise or advice.

~~~
MichaelGG
I wonder what kind of CA-related worker would think "yeah, google.com is a
good test domain". You have to be really not paying attention to think that
makes any kind of sense.

And what kind of CA doesn't blacklist high-value domains like Google, PayPal,
etc. so that they don't get screwed over in this manner?

------
lwf
tl;dr: Thawte (owned by Symantec) issued a "pre-certificate" for an EV
certificate for google.com and www.google.com without consulting Google.

Google noticed this when it showed up in Certificate Transparency logs, and
Symantec asserted it was created during internal testing of their systems.

For anybody else who didn't know what a "pre-certificate" was,
[https://tools.ietf.org/html/rfc6962#section-3.1](https://tools.ietf.org/html/rfc6962#section-3.1)
:

    
    
      Anyone can submit a certificate to any log.  In order to enable
       attribution of each logged certificate to its issuer, the log SHALL
       publish a list of acceptable root certificates (this list might
       usefully be the union of root certificates trusted by major browser
       vendors).  Each submitted certificate MUST be accompanied by all
       additional certificates required to verify the certificate chain up
       to an accepted root certificate.  The root certificate itself MAY be
       omitted from the chain submitted to the log server.
    
       Alternatively, (root as well as intermediate) certificate authorities
       may submit a certificate to logs prior to issuance.  To do so, the CA
       submits a Precertificate that the log can use to create an entry that
       will be valid against the issued certificate.

------
nailer
I know HN likes to use official titles, but the title here is incredibly
vague. 'Certificate Transparency detects misissued Google certificate' would
accurately describe the article's content.

