Tomorrow (April 17) marks a deadline for businesses to replace security certificates issued by Symantec before June 1, 2016. Failure to replace the certificates will result in site breakage in upcoming versions of major browsers, including Chrome – version 66 of which is scheduled for release tomorrow – and Mozilla Firefox.
Any such “breakage” will result in a notification like this.
This notification is the result of a decision made last year by Google’s Chrome team to ultimately remove trust in legacy Symantec infrastructure, “in order to uphold users’ security and privacy when browsing the web.”
It came after a January 2017 public posting to the mozilla.dev.security.policy newsgroup highlighted “questionable” website authentication certificates.
These had been issued by Symantec Corporation’s then public key infrastructure (PKI) arm; whose Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL Certificate Authorities had issued numerous certificates non-compliant with industry CA/Browser Forum Baseline Requirements.
Symantec reacted with fury at the time, before ultimate deciding to wash its hands of the problem and sell its PKI business to DigiCert for $950 million in August 2017.
DigiCert took over validation and issuance for all Symantec Website Security SSL/TLS certificates, including its subsidiary CAs: Thawte, GeoTrust, and RapidSSL.
“Going forward, all new and reissued Website Security certificates are issued by DigiCert (using one of our trusted roots) and are trusted by Google Chrome” DigiCert notes, adding: “The new certificate chain DigiCert created does not interfere with your current certificate trust among browsers. The chain also establishes trust for your replacement certificate with Google Chrome (and other browsers) going forward.”
Symantec declined to comment.
Clearly not all websites use legacy Symantec certificates, not all web users Chrome or Mozilla browsers, so the problem is limited in scale.
Security researcher Arkadiy Tetelman estimated earlier this year that some 10,000 websites would be affected by Chrome 66 in April and a further 90,000 will get distrusted with Chrome 70 in October. (Some big names, including tesla.com and blackberry.com would be affected, he found).
Google said in an update posted to its blog: “If your site is using a SSL/TLS certificate from Symantec that was issued before June 1, 2016, it will stop functioning in Chrome 66, which could already be impacting your users.”
If you are uncertain about whether your site is using such a certificate, you can preview these changes in Chrome Canary to see if your site is affected. If connecting to your site displays a certificate error or a warning in DevTools as shown above, you need to replace your certificate. DigiCert has a handy guide to doing so here.