Earlier this year, Google announced a plan to stop trusting existing Symantec SSL certificates, which are used to authenticate and encrypt data, due to concerns about the way these have been issued.
Google expects root certificate authorities to validate domain ownership before issuing certificates and to secure their operations and infrastructure against signs of improper issuances as well as auditing logs to review issuance activity. They stated Symantec did not meet these standards and allowed outside access to their certificate infrastructure without proper oversight. Further, Google stated Symantec failed to disclose this information in a timely manner and it did not take this issue as seriously as they should have.
Appropriate browser security represents a significant challenge to which browser manufacturers, system administrators and users all have a different approach. System administrators want users exposed to minimal risk (and troubleshooting difficulties) and it's safe to say users want to be able to do their jobs with minimum of prompts and dialogue boxes.
Browser companies face the brunt of the difficulties, however, since they have to decide which type of measures to enact in their code to alter or restrict potentially unsafe user behavior, such as by warning users about potential risks, trusting or distrusting specific activities, or even blocking certain websites or software.
It's a fine line they walk, determining how aggressive their tactics should be. Drastic restrictions may put them in conflict with other businesses as well as their user base. System administrators and end users who end up frustrated with onerous usage or access limitations may simply disable features intended to protect them or end up using alternate browsers altogether.
In the case of Symantec, their Certificate Authority (CA) was found to have improperly issued over 30,000 SSL certificates. This represents a significant risk since it enables the impersonation of other sites as well as the ability to analyze communication between servers.
Google had a tough choice to make, but opted to make it for the benefit of their customers. Stating that their developers "no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years," the company laid out a set of guidelines for Symantec to follow to revamp their CA infrastructure in order to remedy this situation within a specific timeframe.
Symantec issued a response taking responsibility for the issue and praising Google for not adversely impacting their customers by posing "compatibility or interoperability challenges for the vast majority of users." They requested more time to revamp their infrastructure as well as the creation of an Enterprise Chrome policy to permit the use of Symantec certificates issued before June, 2016.
Ultimately they opted to sell their entire top-level SSL business to DigiCert, which will be operational under this new ownership as of this December. As a result, Symantec will no longer be a Certificate Authority but instead a Subordinate Certificate Authority (SubCA), as proposed by Google. Symantec can still conduct business issuing new SSL certificates, and Google (as well as other browser vendors) can receive reassurance that Digicert will conduct itself through strict and secure guidelines to prevent the mistakes of the past from reoccurring.
SEE: Internet and Email usage policy (TechRepublic)
How will this affect your company?
As a result of this decision, Google stated "Website owners and other developers using Symantec SSL certificates inside their application will have to reach out to Symantec for a new SSL certificate... or reach out to another CA provider altogether."
In terms of how Chrome will respond to these certificates, it will no longer recognize as valid current Symantec Extended Validation certificates, which are supposed to assure users a site is authentic because the owner of the certificate passed a rigorous verification check. Chrome currently displays such domain names in green alongside the secure padlock icon in the address bar, but will not do so for Symantec. Chrome will not accept any new certificates from Symantec's current infrastructure which have an expiration date of more than nine months.
Furthermore, Google Chrome will start warning users about insecure Symantec SSL certificates in version 62 which will be released this October. Chrome 66, estimated for release next April, will display "untrusted" errors for all Symantec certificates issued before June 1, 2016. Chrome 70, estimated for October of 2018, will display errors for all Symantec certificates issued using their old CA infrastructure before December 1, 2017.
SEE: Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)
What do you need to do?
Symantec claims no action is required at this time. However, in preparation for the upcoming Chrome changes if you utilize Symantec-issued certificates, I recommend consulting with your CA issuer/vendor (who should have notified you already) to determine whether you should replace these, especially if they are older than June 1, 2016. If you need to replace them but this effort this is neither possible nor feasible at the moment, you should notify customers or users to be prepared for Chrome warnings and errors and work out a plan and schedule for replacement as needed.
In addition, if you administer user systems running Chrome and this application is routinely updated (as it should be) you should notify your customers that they may see these warnings and errors when accessing other external sites which utilize impacted Symantec certificates, and notify them as to how to proceed.
Personal or recreational sites using affected Symantec certificates should be avoided once the Chrome notifications begin next month. If the site(s) involve business purposes, you should determine whether to have users continue to access these until the certificates are replaced. Base your decision on the criticality of the operations involved as well as the required confidentiality of any data.
It's preferable to train users to take alerts seriously, so advising them to ignore such alerts can lead to indifference in other situations, lessening their awareness levels. If you elect to allow the access, consider utilizing Google's Enterprise Chrome policy (Google it for availability when released) on company-owned systems to suppress certificate alerts (if feasible for your organization).
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Disruptive cyberattacks could hit energy infrastructure in US, Europe (TechRepublic)
- Why the Equifax breach could force executives to finally take cybersecurity seriously (TechRepublic)
- Google reveals formal plan to distrust Symantec certificates in 2018 (ZDNet)
- Symantec tricked into removing legit certificates by security researcher (ZDNet)
Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.