January 26, 2017
There are big changes coming to how Google Chrome handles specific security certificates in 2018. You may have seen some of the media coverage and are wondering what it all means. This blog post will shed some light on the situation and prepare you for the upcoming changes to how Google Chrome and other browsers deal with SSL/TLS certificates.
What's Happening?
In 2016, investigators discovered that Symantec broke industry rules for issuing security certificates used to support encrypted traffic on secure websites. Specifically, Google found that Symantec issued digital certificates without thoroughly verifying requesters. Verification is a key to the trust relationship with security certificates, because holding a certificate for a website means the owner can decrypt all web traffic and potentially expose sensitive data if they are malicious. As a result, Google is taking steps to revoke the trust for all existing Symantec SSL certificates in Google Chrome.
When is this Happening?
Beginning in version 66 (estimated to be released in April 2018), Chrome will show SSL certificate errors for all Symantec certificates issued before June 1, 2016. Later with the release of Chrome 70 (estimated October 2018), Chrome will show errors for all websites with Symantec SSL certificates issued on the old infrastructure before December 1, 2017. Google is taking the lead on this but other browsers will likely follow step.
What Do I Need to Do?
Most users will not have to take any action. Once Google Chrome updates your browser, however, you may notice new certificate errors and you should be very careful with the information you provide sites with affected certificates.
If you are a website operator with a certificate issued by a Symantec CA prior to June 1, 2016, you will need to replace the existing certificate with a new certificate from any Certificate Authority trusted by Chrome before the release of Chrome 66.
In addition, because Symantec owns other CAs like GeoTrust, Thawte, and RapidSSL, the root certificates of those former companies have been added to the Symantec root. Certificates issued under these three CAs will suffer the same fate as native Symantec SSL certificates and users will have to request new ones. However, as of December 1, 2017, all Symantec certificate brands (Symantec, GeoTrust, Thawte and RapidSSL) will be issued from DigiCert’s validation platform and Chrome will trust those certificates.
How Do I Know if My SSL Certificates are Affected?
If you are unsure if your certificates are affected, you can use an SSL scanning tool, such as the Qualys SSL Labs testing tool (https://www.ssllabs.com/ssltest/ [1]) to determine the full certification path.
Additional information can be found on Google's Security Blog - https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html [2]
Written by: Stephen Willem (Manager, Information Security)