freshidea - Fotolia

Symantec CA woes debated by browser community

Compliance with CA/B Forum Baseline Requirements was debated after Symantec CA posted responses to 14 issues raised by Mozilla developers.

After a Symantec CA representative responded, point by point, to Mozilla developers' concerns over its certificate authority activities, the Mozilla community has raised even more -- as yet unanswered -- questions.

On Monday, April 10, Steven Medin, public key infrastructure (PKI) policy manager at Symantec, posted responses to the list of 14 issues with Symantec CA actions that Mozilla's Gervase Markham listed on the Mozilla wiki site. However, Markham and Google Project Zero team member Ryan Sleevi, among others, responded to Symantec's answers with many more questions.

For example, Symantec's response to concerns about a 1024-bit certificate issued directly from root between December 2013 and January 2014 argued that the certificate was issued after its customer informed Symantec of an issue "that threatened to seriously disrupt their primary business."

"The customer's non-browser implementation required a certificate that was back-dated to support its boot phase, not chained through an intermediate, and that used a 1024-bit key. This would replace a similar certificate that was due to expire on December 31, 2013," Medin wrote.

The issuance, Medin argued, was permitted under the CA/Browser Forum (CA/B) Baseline Requirements at the time. Medin called the questionable certificate issuance a rules violation, but insisted it was not "a source of material risk," and both Microsoft and the customer accepted the known risks.

Medin justified Symantec's actions, stating: "It's important to understand that this action did not threaten browser users, as the site wasn't used by browsers. We stand by our decision to help our customer safeguard their business in this instance, in a risk responsible manner when they needed us most."

In that particular issue, Symantec did not immediately disclose the certificate issuance "due to a contractual obligation to protect the customer's privacy," Medin wrote.

Less than an hour later, Sleevi raised a number of questions about the methodology Symantec used to conclude there was no risk imposed on anyone other than the customer who requested the certificate, as well as questions about how "contractual obligations to protect the customer's privacy" are formally reconciled with CA/B Baseline Requirements that conflict with customer privacy.

Symantec did not respond to requests for comment from SearchSecurity.

Deadline is approaching

Noting that "Symantec has a routine habit of exceeding any reasonable deadline for response," Sleevi asked when is it "appropriate for the Mozilla Root Store to begin discussing what steps can or should be taken with respect to the documented and supported incidents, which Symantec has not provided counter-factual data?"

"Does the Mozilla Root Program seek to consider the intent of the CA that violated the Baseline Requirements repeatedly for a span of several years? If so, does it have a process at which point it will stop considering feedback, versus allowing a CA to indefinitely delay meaningful action to protect users?"

Mozilla's Markham responded by setting a one-week deadline for responses from Symantec -- a deadline that was extended in response to concerns that interested parties might be unavailable.

"Please consider the fact that this is Easter week, and most of the industry, including many people (on both the browser and Symantec sides of the process) are likely to be unavailable for precisely this week of the entire year," wrote Jakob Bohm, CIO at WiseMo, a remote desktop control software company based in Denmark, in the forum. "In general, sending deadline mails (by paper, e-mail, process server or otherwise) to anyone during a public holiday demanding actions during that holiday is considered morally deficient at a minimum."

"That seems hyperbolic. However, your point is well taken," Markham wrote in response. "I have emailed Symantec to put back the deadline to 23:59 UTC on [Thursday,] 20th April."

Impact on customers

"The conversation between Google and Symantec is happening publicly in real time, and is clearly still evolving," Kevin Bocek, chief security strategist for Venafi, based in Salt Lake City, told SearchSecurity.

"This kind of transparency is valuable and will be great for security in the long term, but it's leading to some confusion for Symantec customers. Customers that understand the impact of the situation are scrambling to understand what their options are and how they should respond," Bocek said. "Many of these more literate customers are trying to figure out how they can be more agile with CAs in the future, since this issue is not unique to Symantec. On the other hand, customers that don't understand the implications are still trying to sort out what this could mean."

For now, it's not clear how much this latest round of scrutiny will affect the Symantec CA business, but it could spell opportunity to competitors.

"Other CAs are seeing an uptick in demand, but many of Symantec's customers see replacing public certs as a heavy lift and are reticent to migrate away," Tom Kellermann, CEO of Strategic Cyber Ventures, based in Washington, D.C., told SearchSecurity.

"This is as a bad as it seems, especially when you have many organizations over-relying on SSL for their security. SSL is not a silver bullet, and greater investment into intrusion suppression is necessitated," Kellermann said.

Is Symantec CA acting like a 'Scooby Doo villain'?

The discussion around Symantec CA actions may have been exasperating, but it was not without amusing moments. Symantec's response to the alleged improper cross-signing of the U.S. Federal Bridge PKI was that Symantec allowed the questionable certificate to expire nearly four weeks after FPKI notified it that the certificate was no longer needed, rather than revoke it immediately.

Responding to a clarifying question from Sleevi, Markham wrote, "I'm asking if Symantec ... is intending to sound like a Scooby Doo villain, or whether it's merely accidental that this reads as 'I would have gotten away with it, if not for you meddling browsers.'"

"More specifically, Symantec has failed to respond as to whether or not they agree with the facts presented and, if so, whether or not this represents a Baseline Requirements violation, as suggested."

Next Steps

Find out more about how Google's Certificate Transparency program can prevent certificate abuse

Learn about how certificate pinning can improve CA security

Read about how Certificate Transparency caught Symantec CA issues

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing