Security firm Symantec has fired a number of employees after it was revealed that fake Google security certificates had been issued, at least one of which was discovered in the wild.
Digital SSL certificates are used to allow secure communication between the internet and web browsers. They are frequently used by banks, retail giants and social networks to protect private data from intrusion.
However a number of these certificates, which can only be issued by trusted partners known as ‘Certificate Authorities' (CA), were found to have been issued without authorisation by Symantec's CA subsidiary Thawte.
Google's security and privacy product manager, Stephan Somogyi, and Adam Eijdenberg, certificate transparency product manager, said the rogue certificates had been issued for two Google domains despite never having been requested.
"During our ongoing discussions with Symantec we determined that the issuance occurred during a Symantec-internal testing process," they wrote.
"We have updated Chrome's revocation metadata to include the public key of the misissued certificate. Additionally, the issued pre-certificate was valid only for one day.
"We discovered this issuance via Certificate Transparency logs, which Chrome has required for Extended Validation (EV) certificates starting 1 January of this year. The issuance of this pre-certificate was recorded in both Google-operated and DigiCert-operated logs."
This Certificate Transparency log is an open framework that allows internet users to monitor and audit authorised security certificates in real time and was developed after an incident in 2011 when a Dutch CA known as DigiNotar was breached, allowing hackers to create over 500 fraudulent certificates.
Symantec has moved to play down reports that any risk was posed to web users but has stressed that it is now bulking up internal policies to stop a similar incident occuring.
"We learned on Wednesday that a small number of test certificates were inappropriately issued internally this week for three domains during product testing," wrote Quentin Liu, Symantec senior director of engineering.
"All of these test certificates and keys were always within our control and were immediately revoked when we discovered the issue. There was no direct impact to any of the domains and never any danger to the Internet."
However, the security vendor also said that it has since fired those responsible for issuing the rogue certificates.
"We discovered that a few outstanding employees, who had successfully undergone our stringent on-boarding and security trainings, failed to follow our policies. Despite their best intentions, this failure to follow policies has led to their termination after a thoughtful review process," said Liu.
Meanwhile, a Symantec spokesperson told V3: "We hold ourselves to the highest standards and this type of testing was a violation of our own internal policies. We are putting even stronger safeguards in place to prevent an issue like this from occurring again."
Google has since blacklisted the fake domain certificates issued by Symantec and states that it does not believe they have been used in any attacks.
If exploited, rogue certificates can be used by hackers to launch man in the middle attacks to intercept secure communications such as emails, browsing activity and to steal sensitive financial information.
Claims to have "the most competitive logic density" in the industry
Dell's high-end mobile workstations upgraded with Intel Coffee Lake CPUs
Webstresser admins were also arrested in the UK, Croatia, Canada and Serbia
Security firm claims that 117,638 sites out of 135,035 analysed contain serious security flaws