Symantec confirms it wrongly issued certificates

Security software specialist Symantec has confirmed it has revoked some wrongly-issued certificates.

Certificates, the ‘s’ on the end of the ‘https’, are granted to websites to show that they are secure and that users can feel safe on them. However, Andrew Ayer of certificate vendor SSLMate last week discovered that there had been wrongly issued certificates for, and variations of (, etc).

On Saturday, Symantec product manager Steve Medin replied, confirming that the certificates had indeed been issued: “The listed Symantec certificates were issued by one of our WebTrust audited partners. We have reduced this partner’s privileges to restrict further issuance while we review this matter. We revoked all reported certificates which were still valid that had not previously been revoked within the 24 hour CA/B Forum guideline – these certificates each had "O=test". Our investigation is continuing.”

Apparently, according to Medin, the mistake happened at partner WebTrust. He said that the company is still investigating what went wrong, and that Symantec “will report our resolution, cause analysis, and corrective actions once complete”.

This is not the first time that an issue like this has arisen for the company. Back in 2015, Google blocked certificates from a Symantec root because it was not complying with the CA/Browser Forum’s requirements. Symantec responded that the certificates were mostly used for internal testing, or were issued to a small group of legacy customers. As a result, Google last year launched its Certificate Transparency site, showing a list of cerificates that the firm doesn’t trust. 

Check Also

Feature: Want more sales leads? It’s easy if you ask the right questions

Daniel Priestley of Scoreapp quizzes channel marketing.    You’ve probably found securing high-quality leads can …