Accountapprovers, antispam, confirm, emeritus
4,925
edits
Changes
Add Issue E
Symantec took a number of remediation steps, as outlined in the report.
==Issue E: Domain Validation Vulnerability (October 2015)==
In October 2015, it was [https://www.agwa.name/blog/post/domain_validation_vulnerability_in_symantec_ca discovered] that Symantec's DV certificate products (e.g. RapidSSL, QuickSSL) had a flaw when parsing email address data from WHOIS, in that they did not parse + and = characters correctly. This meant that, in cases where the domain owner had used these characters, the address as parsed by Symantec was not the one the domain owner had inserted, and if other email addresses of a particular form could be registered at that domain, there was a possibility that an attacker could get a cert for the domain.
===Symantec Response===
Symantec fixed the issue within a week, audited their logs to make sure the flaw had not been abused, and issued a [https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160204_00 security advisory].
===Further Comments and Conclusion===
The set of circumstances which would have allowed this issue to be exploited (+ or = character in WHOIS, domain where arbitrary email address registration by 3rd parties is possible, necessary email address still available to register) are relatively rare, and Symantec fixed the issue quickly and performed appropriate remediation.
==Issue F: Audit Issues For Symantec Itself (December 2014 - November 2015)==
