Symantec TLS Certs Will Soon Be Extinct

Mozilla Firefox is the latest browser to issue an initial build featuring a warning regarding the certifications.

Jeremy Nation
Sep 3, 2018 · 4 min read

The doomsday clock continues ticking towards midnight on old Transport Layer Security (TLS) certificates once issued by Symantec Certificate Authority (CA).

Mozilla Firefox plans to show a warning should someone browse any page with a TLS certificate from Symantec. For now the changes have been implemented in the Firefox Nightly 63 build. On the October 23, 2018, the change will be officially implemented within the browser.

In addition to Mozilla making a move against Symantec TLS certificates, developers who released Google Chrome’s nightly build, Chrome 70 Canary, opted to issue a similar warning. Chrome will put the warning into a stable release the following October on the 16th, shortly before Mozilla does so in tune.

Image from Bleeping Computer.

The History

Back in March 2017 Google and Mozilla engineers noticed some problems with certificates issued by Symantec. In the ensuing months long investigation that followed it became clear that over 30,000 certificates had been improperly issued by Symantec. As a result, Symantec and the conglomerate CAs flying under its flag, including GeoTrust, Thawte, and RapidSSL, have received a big thumbs down from tech companies like Google, Mozilla, Microsoft, and Apple.

In the the fallout from the revelations brought forth from the Google investigation, a three phase plan was developed to remedy the situation. Phase one saw Symantec voluntarily agree to reclassify as a Subordinate Certificate Authority (SubCA), and license their name to a separate CA who would issue certificates in lieu of Symantec. Phase two of the plan saw Chrome browser issue SSL error messages for any sites featuring a Symantec certificate issued prior to June 1, 2016, while in phase three Chrome began to offer up the SSL error for all websites with Symantec certificates older than December 1, 2017.

On October 31, 2017, enterprise grade identity and encryption solutions provider, DigiCert, acquired Symantec’s website security business for $950 million and close to 30 percent equity of DigiCert common stock. Stepping in, DigiCert offered to replace certificates issued by Symantec at no cost.

Cause and Effect

The improper issuance of SSL certificates allowed malicious actors to set up corporate shells in obscure countries for use as the basis to be issued a SSL certificates. These certificates were in turn used when setting up phishing sites. With thousands of retailers out there sporting web-based businesses, a scammer has their pick of companies to impersonate. And to a consumer, the scammer’s site would appear to be legitimate because it would feature that green lock that so many people have come to mistakenly trust.

Symantec’s fumble is something of a cautionary tale regarding the problems with centralized services being in charge of extended validation and certification. This demonstrates the need for the MetaCert Protocol, an improved verification process that allows a global audience of people to verify web resources. Let’s say someone tries to pull the same phishing scam Symantec’s system would have allowed for. A phisher can set up a shell corp, but when they submit their resources for verification in the MetaCert Protocol, a global community of validators steps in to scrutinize and indicate if that resource is reliable.

Cryptonite, the browser extension for Chrome, Firefox, and Opera, already utilizes the MetaCert Protocol and is a more effective means of protecting yourself from phishing sites than relying on SSL certification alone. Cryptonite blocks phishing sites, even when they try to trick you by sporting a green lock from an improperly issued SSL certificate. This is because Cryptonite goes further by using the MetaCert Protocol as a means of verification, allowing it to more effectively block malicious web resources.

Cryptonite and also provide a visual cue with a black shield that turns green when a cryptocurrency based resource shows up on the screen, a unique service that we have extended to the cryptocurrency community based on the escalated number of scams. The shield turns green when you visit a verified cryptocurrency based website, so you know you’re looking at the real MyCrypto. The shield also indicates legitimate cryptocurrency related social media accounts, so you can tell the difference between an impersonator’s tweet from the real thing at a glance.

Cryptonite is also the only way that you can participate in the MetaCert Protocol Beta Program, where you’ll get a special opportunity to earn a bonus on tokens.

MetaCert Protocol is the best in the world at one thing — URL Classification.

MetaCert Protocol is decentralizing cybersecurity for the Internet, by defining ownership and URL classification information about domain names, applications, bots, crypto wallet addresses, social media accounts and APIs. The Protocol’s registry can be used by ISPs, routers, Wi-Fi hotspots, crypto wallets and exchanges, mobile devices, browsers and apps, to help address cyber threats such as phishing, malware, brand protection, child safety and news credibility. Think of MetaCert Protocol as the modern version of the outdated browser padlock and whois database combined.

Find out more about the MetaCert Protocol, ask questions, and leave suggestions on both our White Paper and Technical Paper. You can also join our Telegram community to stay up to date on our blockchain project. Remember to install Cryptonite to protect yourself from phishing scams before it’s too late.

Jeremy Nation

Written by

Writer, researcher, and analyst.

METACERT

METACERT

MetaCert builds tools to help protect people from phishing attacks.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade