May 25, 2016 Update
KPMG has completed our annual WebTrust audit for December 1, 2014 through November 30, 2015. Those reports are available here
. KPMG identified several issues during the course of their audit, including those related to the test certificate incident, and we have addressed each of these issues.
As stated previously, since this issue first arose, we have implemented changes to our test certificate policies, processes, and controls designed to prevent this from happening again.
Further, as indicated in our more detailed response
, we have enhanced our compliance function by consolidating compliance activities into a single group reporting directly to the head of our Website Security business unit. The new compliance structure includes enhanced identification, tracking, prioritization, and resolution of compliance-related updates, which will help ensure that changes to CA/Browser forum requirements and to Symantec policies and procedures are effectively implemented. We will continue to further evaluate and strengthen those policies, procedures, and controls.
Finally, we have engaged KPMG to begin a separate Point in Time Readiness Assessment to validate that our processes and systems are operating in accordance within the appropriate CA/Browser Forum requirements and Symantec’s Certificate Practices Statements & Certificate Policies.
We will post the results of the Point In Time Readiness Audit here
once that is complete.
April 21, 2016 Update
As we previously disclosed, Symantec learned in September 2015 that it had generated a number of internal test certificates in a manner not fully consistent with its policies. These test certificates included certificates to unregistered domains and domains for which Symantec did not have authorization from the domain owner. As a result, we commenced an investigation to identify and revoke mis-issued certificates, to determine and remediate the root causes of the mis-issuances, and to confirm that no harm had resulted from the incident.
We have completed our investigation to identify the mis-issued test certificates and the root causes behind their issuance. Our investigation uncovered no evidence of malicious intent, nor harm to anyone. No customer or partner action is needed.
The investigation began with a review of certificates that were issued as part of our internal testing processes back to 2009. These certificates were analyzed by our engineering and authentication leads to identify any test certificates mis-issued to unregistered domains and domains for which Symantec did not have authorization from the domain owner.
We subsequently engaged Deloitte Financial Advisory Services LLP (Deloitte) to help us identify any additional mis-issued active test certificates and to help us search for any mis-issued active certificates that were issued for purposes other than internal testing. The Deloitte team who assisted us with this analysis and certificate documentation review was comprised of consultants experienced in business analytics, public key infrastructure (PKI), and cyber risk.
Deloitte analyzed the approximately 2.18 million digital certificates issued by Symantec that were active as of November 3, 2015. Deloitte used a recommended risk-scoring approach approved by Symantec that was designed to isolate certificates that were at higher risk for being mis-issued, and then manually reviewed documentation provided by Symantec for those certificates. Deloitte subjected the remainder of the active certificates to statistical sampling and manually reviewed the certificate documentation for the sample selection.
Through our investigation, we confirmed that all of the mis-issued certificates identified were issued for internal Symantec testing purposes. These test certificates have been revoked or are expired. Further, we have contacted the relevant domain owners for the owned domains, and we have and will continue to work with the browser community to blacklist these test certificates where they deem appropriate.
The certificate details are available here for reference, including certificates identified since our last report on October 29, 2015 which are identified in the column titled “Apr 2016”:
All the mis-issued test certificates identified were issued for internal Symantec testing purposes. Nevertheless, they were generated in a manner that was not fully consistent with Symantec’s policies and CA/Browser Forum requirements.
We have identified three root causes underlying the mis-issuance of these test certificates. First, we continued to issue internal test certificates to unregistered domains after the April 2014 change in the Baseline Requirements that removed authorization to do so. The overwhelming majority of the mis-issued test certificates fall into this first category. Second, certain Symantec Quality Assurance (QA) personnel had systems access, including the ability to use certain legacy tools, which enabled them to request a limited number of test certificates that were issued without review by authentication personnel. Third, authentication personnel did not consistently follow all verification steps when they received test certificate requests from their Symantec colleagues, or requested test certificates themselves.
Symantec has implemented changes to our test certificate policies, processes, and controls designed to prevent this from happening again, and we will continue to further evaluate and strengthen those policies, procedures, and controls. Specifically, Symantec has removed the systems access and disabled the legacy technical tools that enabled certain QA personnel to request a limited number of test certificates without review by authentication personnel. Symantec has also updated its internal policies, procedures, and trainings to clarify the April 2014 change in the Baseline Requirements that removed authorization to issue certificates to unregistered domains. Additionally, Symantec has updated its internal policies, procedures, and trainings to strongly reinforce that all test certificates must follow the same fulsome authentication procedures as commercial certificates. Symantec has also confirmed that each identified domain that was used for testing purposes in a manner not fully consistent with our policies can no longer be used for new certificates without first undergoing standard authentication and issuance procedures.
We have also worked with KPMG during our annual Web Trust audit, where Symantec’s certificate management practices and internal controls are extensively reviewed. In addition, KPMG will soon be conducting a separate Point in Time readiness assessment.
Enhancing Certificate Transparency and Security
Symantec remains fully committed to the continued trust of our roots across browsers and enhancing the transparency and security of the global certificate infrastructure. For example, we have expanded support for Certificate Transparency to all SSL/TLS certificate types and customer channels. Certificate Transparency (CT) is an open framework that was created to help organizations get a comprehensive view of what active certificates exist for domains that they own. We have provided CT support for all Symantec, Thawte, and GeoTrust Extended Validation (EV) certificate offerings since December 2014, and we are one of the few organizations to operate public CT log servers. We have also now expanded CT support to our Organization Validated (OV) and Domain Validated (DV) products under each of these brands.
Symantec has also promoted and implemented support for Certification Authority Authorization (CAA), which enables domain owners to specify which CAs may issue certificates for their domains. CAA provides another tool for domain owners to help prevent certificates mis-issued to their domains, but it works in practice only if all CAs support it and explicitly honor customers’ preferences. Symantec has been a champion of CAA, and we will be submitting a proposal to the CA/Browser Forum for a rule change to require that all CAs explicitly support CAA.