Last week, Andrew Ayer, the owner of certificate vendor SSLMate revealed his discovery of faulty certificates issued by Symantec. The certificates were issued for example.com and a few variations of test.com (test1.com, test2.com and so on).
In some cases, Andrew said that these certificates made it possible to spoof HTTPS-protected websites and that Symantec issued the faulty test.com certificates in October and November last year. It has also been noted that this is not the first time Symantec has been in the spotlight due to wrongly issued security certificates.
Steve Medin, Product Manager, Symantec said:
The listed Symantec certificates were issued by one of our WebTrust audited partners. We have reduced this partner’s privileges to restrict further issuance while we review this matter.
We revoked all reported certificates which were still valid that had not previously been revoked within the 24 hour CA/B Forum guideline – these certificates each had “O=test”. Our investigation is continuing.
According to the Google log, over 100 certificates were wrongly issued between July 2016 and January this year by Symantec certificate authorities (CAs) for different domains.
A Symantec spokesperson said:
Symantec has learned of a possible situation regarding certificate mis-issuance involving Symantec and other certificate authorities.
We are currently gathering the facts about this situation and will provide an update once we have completed our investigation and verified information.