Attention: Final Google distrust date for Symantec CA SSL certificates is approaching
Google Chrome’s final distrust of Symantec CA SSL certificates is rapidly approaching. Anyone using the Beta version of Chrome will receive the Chrome 70 update around September 13th, at this point any website still using an original Symantec CA brand SSL certificate will start to receive browser warnings.
This affects all Symantec CA brand SSL certificates issued before December 1, 2017. And it applies to:
The stable version of Chrome 70 is set to arrive around October 16, at which point over 60% of the internet will not be able to reach websites that are still using one of the affected certificates. We are using the Beta release as our deadline to give you a little bit of a buffer in case replacing certificates takes a day or two.
DigiCert, which purchased the Symantec CA brand following its agreement with Google, has been handling the re-issues for Symantec customers and it has done a spectacular job.
There was a lot of concern back in April when the first group of Symantec CA SSL certificates was distrusted that huge swaths of the internet would go down. That didn’t happen, and it’s a testament to the men and women at DigiCert who have worked tirelessly to replace millions (literally millions) of affected SSL certificates.
The April distrust dealt with SSL certificates issued before June 1, 2016. DigiCert started re-issuing at the beginning of December in anticipation. The second distrust date is for all the remaining Symantec CA SSL certificates.
Will this distrust affect my SSL certificate?
Here is an easy way to think about this final distrust. Has DigiCert, or the SSL service you purchased your certificate from, re-issued or replaced your Symantec, GeoTrust, Thawte or RapidSSL certificate in the past nine months? If the answer is no, then this distrust is going to affect you.
The Canary version of Chrome 70, Google’s advanced dev version of Chrome, came out in July. Fortunately, very few people use Canary. The Beta version has a few more users, but the vast majority of people are going to be affected by the stable release around October 16. It’s worth noting that Google rolls its updates out gradually, so it’s really more like the week of the 16ththan the 16thitself.
The other browsers, Mozilla’s Firefox, Apple’s Safari, Microsoft’s Edge and IE will all distrust Symantec CA certificates along similar timelines, too. So, telling your visitors to use another browser isn’t an option.
It is worth pointing out that since DigiCert has purchased and begun issuing for the Symantec CA Brands that they are safe to use again. DigiCert is universally trusted, one of the most well-respected Certificate Authorities in the digital certificate industry. DigiCert has also tweaked its issuance practices to compensate for site owners who would have had to renew their certificate within a couple months of re-issuing. There is now a seven-month window for renewals, meaning you can knock out the re-issue and the renewal in one fell swoop.
This option is only available for one-year certificates owing to the CAB Forum’s baseline requirements for certificate validity.
How did Symantec get distrusted?
If you’re looking for a full synopsis you can read it here. The short answer is that dating back to 2015 Symantec had been called out for some minor mis-issuance issues. In 2016, upon investigating further, Google found other evidence of mis-issuance and that Symantec was practicing lax oversight over the regional authorities it was outsourcing validation to in various regions.
Here’s where there are two differing camps. Symantec, rightfully, points out that there were a total of 33 mis-issued test certificates and that no real-world harm actually occurred as a result of it. Google and the other browsers argued that Symantec’s mis-issuance problems were systemic and by extension, they could no longer trust the certificates Symantec CA brands were issuing.
Google and Symantec reached an agreement over the Summer of 2017 that Symantec would shift issuance of certificates to a managed CA while it rebuilt its PKI. In the meantime, Symantec’s roots would be distrusted, which in turn distrusts all of Symantec’s certificates. That was what facilitated Symantec selling its CA to DigiCert for nearly a billion dollars and a 30% share.
Since then, DigiCert has scaled up its operations and started issuing for Symantec.
What do I need to do if my SSL certificate is about to be distrusted?
Contact the SSL service you purchased from, or DigiCert, and there are mechanisms already in place to help replace or renew your certificate.
If you purchased your SSL Certificate(s) from The SSL Store, click here to log into your account and view your impacted order(s).
Originally published at www.thesslstore.com on August 21, 2018.