Security software specialist Symantec has confirmed it has revoked some wrongly-issued certificates.
Certificates, the ‘s’ on the end of the ‘https’, are granted to websites to show that they are secure and that users can feel safe on them. However, Andrew Ayer of certificate vendor SSLMate last week discovered that there had been wrongly issued certificates for example.com, and variations of test.com (test1.com, test2.com etc).
On Saturday, Symantec product manager Steve Medin replied, confirming that the certificates had indeed been issued: “The listed Symantec certificates were issued by one of our WebTrust audited partners. We have reduced this partner’s privileges to restrict further issuance while we review this matter. We revoked all reported certificates which were still valid that had not previously been revoked within the 24 hour CA/B Forum guideline – these certificates each had "O=test". Our investigation is continuing.”
Apparently, according to Medin, the mistake happened at partner WebTrust. He said that the company is still investigating what went wrong, and that Symantec “will report our resolution, cause analysis, and corrective actions once complete”.
This is not the first time that an issue like this has arisen for the company. Back in 2015, Google blocked certificates from a Symantec root because it was not complying with the CA/Browser Forum’s requirements. Symantec responded that the certificates were mostly used for internal testing, or were issued to a small group of legacy customers. As a result, Google last year launched its Certificate Transparency site, showing a list of cerificates that the firm doesn’t trust.