Security company Symantec was forced to fire 3 employees after Google engineers discovered fake SSL certificates issued in the company's name and used by fraudsters.
SSL certificates are a technology through which programs browsing and Web service providers can establish secure connections and authorized communication channels.
They are used billions of times every day and have become a common practice to secure communications between users and banks, online stores, social networks, as well as any website that wants to protect their users and their private data from hackers and uninvited government agencies.
Those authorities are responsible for issuing the certificates or Certificate Authority (CA). There are many CAs around the world, and all are recognized by trusted manufacturers. They only issue certificates to trusted customers.
One of these is CA and Symantec, a cyber security company known mainly by Norton antivirus.
This Friday, September 18th, Google engineers working on Certificate Transparency, a service which checks for fake SSL certificates circulating the internet, discovered several fake Google.com SSL certificates that were issued by Symantec. These dangerous certificates were also observed by DigiCert technicians.
Worst of all, these certificates were labeled "Extended Validation", which means that Symantec had allegedly carried out additional checks. This information has not been officially confirmed by Google or Symantec in their press releases.
Google has already moved on black list the said certificates. Since the information was leaked, Google and Symantec do not believe it could be used in real attacks.
If hackers had more time, using these fake SSL certificates could do MITM (man-in-the-middle) attacks to intercept secure communications.
Please note that 2011 had happened since the Dutch company CA DigiNotar was violated and hackers were able to issue hundreds of fake certificates. Some of these SSL certificates (also issued in the name of Google) were used by the Iranian government to spy on political dissidents.
