Symantec is in trouble with Google again after finding it had issued over 160 rogue SSL certificates without permission, following a similar incident in September.
Symantec originally published a report last month claiming it had issued 23 certificates without the domain owner’s knowledge, covering five organizations including Google and Opera.
However, Google wasn’t satisfied that was the end of the story as it found “several more questionable certificates” using its Certificate Transparency system, Google software engineer, Ryan Sleevi, explained in a
blog post.
“Symantec performed another audit and, on October 12th, announced that they had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered,” he said.
“It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit.”
As a result, Google will require as of 1 June next year that all Symantec-issued certs support Certificate Transparency for easier logging. If they don’t, Google warned it “may result in interstitials or other problems when used in Google products.”
