HTTPS is the protocol used for secure client-to-server communication over HTTP. It adds in an SSL certificate to every server request, and we validate these certificates by asking certificate authorities (CAs) whether or not they’re legit. (As always, this is a simplification.) For many years, any action on the internet that benefited from privacy — like transferring your credit card details to someone — has been behind an HTTPS connection, and today many sites are going HTTPS-by-default, in part because on most sites, every server request we make includes personally identifying information of some kind.
This system works well at protecting our privacy, so long as the CAs can be trusted.
They can’t always be trusted.
The security requirements set-up by the browser makers (like Google) include “that [CAs] issue certificates only to people who verify the rightful control of an affected domain name or company name.” If a CA issues a certificate to someone who isn’t a site’s rightful owner, than that person can pretend to be that site (in what’s called a man-in-the-middle, or MitM, attack), and with this intercept any information sent over an HTTPS connection — credit card information, login credentials, and so-on.
And, according to research published by Andrew Ayer, and covered by ArsTechnica, Symantec has violated this rule, issuing 108 certificates without verifying domain ownership. 99 “were issued without proper validation,” and nine were issued “without the permission or knowledge” of the domain owners.
Most were revoked within an hour, but browsers don’t recheck the validity of certificates all that frequently. If you were exposed to a man-in-the-middle attack in that hour window, you would continue to be vulnerable until your browser got caught up. And other browsers, Ayers told Ars, “accept a revoked certificate as legitimate if the attacker can successfully block the browser from contacting the revocation server.”
As an additional bit of salt on the wound, Ars reports, this discover likely only happened because Google, after a previous certificate mishap from Symantec, required the CA to report all certificates it issues. (Most CAs don’t have any such reporting requirement, but Google, as the maker of the biggest browser on the market, has enough leverage to act as an enforcement agent when a CA acts improperly. If Google decided to blacklist Symantec, all sites using Symantec certificates would refuse to load on Google Chrome, and those sites would have a strong incentive to patronise any other competing CA.)
For what it’s worth, I personally would encourage site owners to find an alternative CA. Symantec runs the Symantec Trust Network, GeoTrust, and Thawte. If you’re using any of these CAs, it might be time to look elsewhere.