Google has decided Symantec's certificates are untrustworthy; webmasters should plan to get HTTPS certificates elsewhere.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Beginning with the release of Chrome 66 in April, Symantec web certificates issued prior to June 2016 or after December 2017 will be considered untrusted by Chrome. By October all Symantec certificates will be untrusted.
- Symantec was purchased by DigiCert, and the two have merged their certificate authorities. Companies are encouraged to get HTTPS certs from either DigiCert or elsewhere.
Announced in September 2017, Google's plan to distrust Symantec certificates in its Chrome browser is just around the corner. By mid April, any websites using Symantec certificates issued under its old system prior to June 1, 2016, or after December 1, 2017, will display warnings to Chrome users that the site may be unsafe. Those falling between these two dates are only staying valid to give website owners time to transition to a new non-Symantec certificate.
Since Symantec was purchased by DigiCert and completed its infrastructure merger in December 2017, new certificates issued by DigiCert are not affected.
The change will come with Chrome 66, available to beta testers in mid March and to the general public by mid April. That's not all, either--by Chrome 70, due for release at the end of October, all Symantec certificates not issued by its through DigiCert will be untrusted.
Symantec's old certificate reach goes deep, though: Certs issued by Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL all have Symantec roots and will be considered invalid once Chrome 66 rolls out.
Why the change?
Two incidents with Symantec's certificate system have prompted Google to label it untrustworthy.
In 2015, 2,600 certificates were falsely issued for domains without their owners' knowledge or permission, as well as domains that didn't exist. Google.com was included in the falsely issued set.
In 2017 it came out that not only were the Symantec certificate partners listed above not complying with baseline requirements from CA/Browser Forum, but that Symantec has also trusted certificate issuance to companies it knew had security deficiencies.
Those weren't the only Symantec issues, but the two incidents were part of a larger certificate authority problem pattern, Google said.
What webmasters need to do
As application security engineer Arkadiy Tetelman points out, there's only a small selection of websites in the Alexa top one million that are affected (Tetelman has published a full list of affected domains). Don't assume that applies to you, though: Once Chrome 66 hits, any internet users who try to access your page may be met with a warning, which is likely to drive them away.
SEE: Vendor contract renewal planner (Tech Pro Research)
Webmasters are advised to check their root certificate authority. If it's Symantec, it's time to go find a new one. As Google points out, you can have your Symantec certificate reissued to comply with the "between June 2016 and December 2017" decision it made, but come October even those will be considered untrusted.
If you manage a website and use Symantec to issue your HTTPS certificate, it's time to take your business elsewhere, unless you don't mind potentially alienating the nearly half of internet users on Chrome.
- IT pro's guide to effective patch management (free PDF) (TechRepublic)
- Let's Encrypt brings free wildcard certificates to the web (ZDNet)
- Google Chrome users: Don't fall prey to this fake tech support scam (TechRepublic)
- Google: Here's why we're putting all our top-level domains on forced HTTPS list (ZDNet)
- Top 5 HTTPS best practices (TechRepublic)