Accountapprovers, antispam, confirm, emeritus
4,925
edits
Changes
Remove "draft" designation; update issue R
This page lists all confirmed or suspected issues involving the CA "Symantec". It will be updated by Mozilla as more information becomes available. Please do not edit this page yourself; if you have proposed changes, email [mailto:gerv@mozilla.org Gerv].
==Issue R: Insecure Issuance API (2013 or earlier - November 2016)==
According to [https://www.facebook.com/cbyrneiv/posts/10155129935452436 a report], it is alleged that for several years Symantec operated an issuance API which was insufficiently secure, such that URL parameter substitution attacks would allow one customer to view, reissue, revoke and otherwise control certificates (including non-server certs) belonging to another customer. When It is further alleged that, when made aware of these issues, Symantec took a very long time to fix them, and they may not have been fully fixed at the time Symantec terminated its RA program entirely.
===Symantec Response===
"We have looked into Chris Byrne’s research claim and could not recreate the problem. We would welcome the proof of concept from the original research in 2015 as well as the most recent research. In addition, we are unaware of any real-world scenario of harm or evidence of the problem. However, we can confirm that no private keys were accessed, as that is not technically feasible.
</blockquote>
In addition, Tarah from Symantec has posted a [https://groups.google.com/d/msg/mozilla.dev.security.policy/CEww8w9q2zE/KvF2fU8ZCgAJ detailed comment] which suggests that the issue is or was substantially less serious than the initial write-up made it sound. A discussion has ensued which I believe includes the original reporter, so we will wait to see if additional information emerges.
==Issue T: RA Program Misissuances (January 2010 - January 2017)==
