TLS certificate issuer Symantec faces further security concerns following researcher Hanno Bock tricking the company into incorrectly revoking certificates based on forged private keys. According to a blog post
written by Bock, he registered a pair of domains, received free TLS certificates from Symantec and Comodo, and created a set of fake private keys uploaded to Pastebin for each domain to send to the appropriate certificate provider, along with a request to revoke the certificate because its private key was publicly viewable. Bock details that he embedded his fake keys in a long list of genuine, publicly available keys, which Symantec proceeded to revoke, but the company never told Bock why his legitimate certificate was revoked. This is a huge issue for an already embattled company, with Google and Mozilla announcing they will distrust all Symantec certificates in their coming versions. !Symantec did a major blunder by revoking a certificate based on completely forged evidence," Bock writes. "There's hardly any excuse for this and it indicates that they operate a certificate authority without a proper understanding of the cryptographic background."