Symantec over the weekend confirmed it revoked a series of web security certificates it says were mistakenly issued by a partner.
In a statement Saturday, Symantec’s Steve Medin said the certificates in question had been obtained inappropriately from one of its WebTrust audited partners.
“We have reduced this partner's privileges to restrict further issuance while we review this matter,” said Medin a certificate policy expert. “We revoked all reported certificates which were still valid that had not previously been revoked within the 24 hour CA/B Forum guideline - these certificates each had ‘O=test’.”
The digital certificates are designed to verify the identities of web servers and browsers, enabling secure communications. Certificates are essential for securing transmission of everything from credit card data to social media posts.
The problem was first made public Thursday by a principal from certificate vendor SSLMate, which identified some irregularities with certificates issued for “example.com,” and several versions of “test.com,” including “test1.com,” “test2.com,” etc.
“I confirmed with ICANN, the owner of example.com, that they did not authorize these certificates,” SSLMate’s Andrew Ayer wrote. “These certificates were already revoked at the time I found them.”
Ayer also found numerous other suspicious traits.
“I doubt there is an organization named ‘test’ located in ‘test, Korea,’” he wrote.
Symantec is continuing to investigate what went wrong, and Medin was quoted in the U.K.’s The Register technology publication as saying that the company would ultimately disclose its “resolution, cause analysis, and corrective actions.”
Send tips and news to [email protected].