Nmedia - Fotolia
Risk & Repeat: Bad Symantec certificates strike again
In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss the discovery of more bad Symantec certificates and what it means for the antivirus software maker.
Bad Symantec certificates have, once again, landed the antivirus software maker in hot water.
More than 100 wrongly issued Symantec certificates were discovered recently by security researcher Andrew Ayer. Following Ayer's research post, Symantec quickly revoked the certificates and conducted its own investigation, which found even more bad certificates -- 127 to Ayer's 108 -- that had been issued over a six-month period starting last July.
All of the bad Symantec certificates were issued by CrossCert, a certificate authority based in Korea, according to Symantec's report. According to Symantec, CrossCert issued the certificates in violation of Symantec's policies and "overrode the compliance failure flags."
This marks the second time in less than 18 months that bad Symantec certificates have been exposed; in late 2015, the antivirus vendor was caught by Google's Certificate Transparency improperly issuing certificates.
While Symantec has pledged to review its certification authority processes and partners, as well as to take over validation and issuance of all future certificates issued by CrossCert, questions remain for the security software maker.
How could a Symantec certificate authority issue so many bad certificates without the vendor knowing? Should Symantec have been more directly involved with the certificate approval and issuing processes? Is the certificate authority system fundamentally broken?
In this episode of SearchSecurity's Risk & Repeat podcast, editors Rob Wright and Peter Loshin discuss those questions and more on the topic of Symantec certificates.