1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Improved Digital Certificate Security

Discussion in 'Google Online Security Blog' started by RSS, Sep 19, 2015.

  1. RSS

    RSS New Member Member

    Posted by Stephan Somogyi, Security & Privacy PM, and Adam Eijdenberg, Certificate Transparency PM

    On September 14, around 19:20 GMT, Symantec’s Thawte-branded CA issued an Extended Validation (EV) pre-certificate for the domains google.com and www.google.com. This pre-certificate was neither requested nor authorized by Google.

    We discovered this issuance via Certificate Transparency logs, which Chrome has required for EV certificates starting January 1st of this year. The issuance of this pre-certificate was recorded in both Google-operated and DigiCert-operated logs.

    During our ongoing discussions with Symantec we determined that the issuance occurred during a Symantec-internal testing process.

    We have updated Chrome’s revocation metadata to include the public key of the misissued certificate. Additionally, the issued pre-certificate was valid only for one day.

    Our primary consideration in these situations is always the security and privacy of our users; we currently do not have reason to believe they were at risk.
    [​IMG] [​IMG]

    Continue reading...

Share This Page