New Delhi: Security firm Symantec has fired an undisclosed number of employees who issued unauthorised HTTPS certificate for Google, making it possible to impersonate HTTPS-protected webpages.
Company officials noted in their blog post, “A small number of test certificates were inappropriately issued internally for three domains during product testing.” The certificates were immediately revoked and there were no direct impact to any of the domains.
While the company did not disclose the domains affected, but in a separate blog post, Google researchers said Symantec’s Thawte-branded certificate authority service issued an Extended Validation pre-certificate for the domains google.com and http://www.google.com.
The unauthorized credential was trusted by all browsers, but Google never authorized it.The researchers explained that the pre-certificate was neither requested nor authorized by Google.
The incident comes five months after Google warned of a separate batch of bogus certificates that had been issued for several of its domains, including .google.com, .google.com.eg, .g.doubleclick.net, .gstatic.com, http://www.google.com, http://www.gmail.com, and .googleapis.com, Ars Technica reports.
The erroneous certificates issued by Symantec were discovered after Google employees monitored logs associated with Google’s Certificate Transparency project- a program that has been designed to fix structural flaws in the way HTTPS certificates were issued by monitoring their generation in real time easily.
Following the discovery, Google has updated its Chrome browser to block the certificate. Google researchers don’t believe that the pre-certificate was used in any attacks or posed a threat to Google visitors as it was valid for only one day.