back to article Symantec fires staff caught up in rogue Google SSL cert snafu

Symantec has fired some employees after Google engineers noticed rogue SSL certificates issued in the web goliath's name. Thawte, Symantec's certificate authority subsidiary, produced a small number of security certificates intended for internal testing. Worryingly, in the wrong hands, these certificates could have been used …

  1. Anonymous Coward
    Anonymous Coward

    "a few outstanding employees"

    If this were an outstanding company, they would have detected the issue internally before it was noticed internally.

  2. Brent Longborough
    Megaphone

    It's easy ...

    ... just to fire the little guys.

    1. hwstar

      Re: It's easy ...

      I agree. They may not be finished with the sackings yet. It gets harder to fire people as you go up the chain of command, and Monty Python's monologue on sacking comes to mind...

  3. Destroy All Monsters Silver badge

    Symantec Warhammer 40K?

    "Because you rely on us to protect the digital world"

    Err... no, actually?

  4. Mark 85

    So was this intentional or accidental?

    I read the blog posts.. the responses to Symantec/Thawte are spot on. Something seems fishy here due to the post of Symantec/Thawte and their handling of this.

  5. CommanderGalaxian
    WTF?

    I smell shite.

    Why would you fire somebody for a mistake? Anybody can make a mistake. Why all the drama?

    1. Anonymous Coward
      Anonymous Coward

      Re: I smell shite.

      I smell shite too, but I'm happy some of my colleagues have been fired due to constantly repeating their stupid mistakes that take time and money to correct.

      Remember:

      The first mistake was an accident

      The second mistake was due to carelessness

      The third mistake was on purpose

  6. x 7

    time to get rid of certs and find another method of authentication. Blockchain maybe?

  7. clocKwize

    Employees shouldn't have the ability to generate legitimate certificates for testing. If its that easy, there is a bigger problem with their security and procedures and Symantec should no longer be trusted to issue certificates. Its that simple.

    1. Crazy Operations Guy

      Indeed, I would think that it would have been required for testing certificates to be issued for non-existent domains or at least use an invalid TLD. Something like "google.symantec" or "test103.local" so the testing lab's DNS servers would still recognize it, and the certificates would show as proper EV, but if the certificates leaked, then they'd be absolutely useless unless you added those fake domains to the victim's DNS (Which if you could, then you wouldn't need the certificates in the first place)

      1. richardcox13

        > issued for non-existent domains

        Even better would be to use an internal CA that is not trusted (by default) by browsers.

        Thus anyone else seeing the certificates would get an error.

        1. Crazy Operations Guy

          I think that the point of the testing was to ensure that the certificates worked properly with a fresh-out-of-the-box browser.

  8. nick soph

    Symantec - nee Norton

    Was a great company till Peter Norton left - downhill ever since - I wouldnt touch anything from them now.

  9. Crazy Operations Guy

    Certificates in DNS?

    I figure that a new DNS record for a website could be created with the certificate's public key and a URL for the issuer. That way the owner of the domain has at least some control over what certificates are considered valid for them.

  10. Anonymous Coward
    Anonymous Coward

    SSL issuers are just smoke and mirrors snake oil salesmen

    It boils down to trusting them to only issue certs to the people who own the domain. The deck of cards falls easily when you see how many holes this system has.

  11. Rotomonge
    FAIL

    Check your facts

    i believe that you will find that VERISIGN is Symantecs CERTIFICATE arm. THAWTE is an independent and separate firm.

    1. Paul Mitchell
      Facepalm

      Re: Check your facts

      Verisign bought Thawte back in 1999, and Symantec bouth them both in 2010.

      Independent NOT.

  12. Nightkiller

    " not a good look for a business built on illusion and trust."

    Aren't they all built on the premise of the Potemkin village or is this just a Freudian slip?

  13. hwstar

    In the US, you can be "Fired for Cause" for situations such as this. When you are fired for cause, you don't get unemployment compensation, and you might have trouble with Health Insurance if you choose COBRA over the ACA. I suspect that the affected individuals are going to have a tough going ahead.

    I don't know how it works in the UK when someone is sacked for gross violations of policy. I would be interested to know what happens in the UK under the same situation.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like