On Sept. 18, Google reported that Symantec's certificate authority subsidiary, Thawte, issued an Extended Validation (EV) pre-certificate that Google did not request or authorize for the domains google.com and www.google.com on Sept. 14 at approximately 19:20 GMT, which led to Symantec firing an undisclosed number of its employees.
The faulty certificates were caused by Thawte's internal testing. Google detected this anomaly via its Certificate Transparency (CT) logs in which the pre-certificate's issuance was recorded in DigiCert-operated and Google-operated logs. On an interesting note, this was the first reported time that CT detected an erroneous certificate.
"Our primary consideration in these situations is always the security and privacy of our users; we currently do not have reason to believe they were at risk," Stephen Somogyi and Adam Eijdenberg, product managers at Google, say.
As the pre-certificate was only active for one day, Google researchers believe that it did not cause any harm or pose any threat to users.
When left alone, websites could abuse these certificates and potentially intercept and decrypt passwords, encrypted traffic to and from Google and login cookies by impersonating legitimate Google websites. Although there was no reported impact to websites, the certificates were immediately revoked before any major damage occurred. Despite having done little or no harm, the Symantec staff that committed this blunder was fired for all the good reasons.
Symantec clarified its side in its blog, explaining that "A small number of test certificates were inappropriately issued internally for three domains during product testing."
The security firm, however, does not intend to take this matter lightly, saying, "As much as we hate to lose valuable colleagues, we are the industry leader in online safety and security, and it is imperative that we maintain the absolute highest standards. At the end of day, we hang our hats on trust, and that trust is built by doing what we say we're going to do."
Google was quick to resolve this issue and the company instantly updated Chrome to block the certificate, preventing any damage. Symantec was also quick to act accordingly by relieving its employees who were involved in the incident of their duties.