Attention webmasters: Google Chrome will soon distrust Symantec-issued SSL certificates

As of March 15, 2018 Google Chrome will start distrusting Symantec SSL certificates.

What is happening and why?

On January 19, 2017, a public posting to the mozilla.dev.security.policy newsgroup drew attention to a series of questionable website authentication certificates issued by Symantec Corporation’s PKI. Symantec’s PKI business, which operates a series of Certificate Authorities under various brand names, including Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL, had issued numerous certificates that did not comply with the industry-developed CA/Browser Forum Baseline Requirements.

During the subsequent investigation, it was revealed that Symantec had entrusted several organizations with the ability to issue certificates without the appropriate or necessary oversight, and had been aware of security deficiencies at these organizations for some time.

This incident, while distinct from a previous incident in 2015, was part of a continuing pattern of issues over the past several years that has caused the Chrome team to lose confidence in the trustworthiness of Symantec’s infrastructure, and concomitantly, the certificates that have been or will be issued from it. As a result, the Google Chrome team has announced that they will be distrusting SSL certificates issued by Symantec, and Mozilla has announced that they will be following suit.

In order to restore trust in future Symantec issued SSL certificates, DigiCert has acquired Symantec SSL. Certificates issued after December 1, 2017 will be signed by DigiCert’s managed partner scheme and be trusted by Google Chrome.

Google is currently planning to distrust Symantec SSL Certificates in two main phases – upon the release of Chrome 66, and upon the release of Chrome 70. 

How could this affect me?

If your website is using an invalid SSL certificate, your users will receive a security warning when they load your site in their web browsers.  Since Google Chrome comprises about half of the browser market, it’s likely that a large proportion of your site’s visitors will receive errors.  

How to check if your site is using an impacted certificate?

The easiest way to determine if your site is impacted is to use Google Chrome developer tools:

  • Press F12 to open the developer tools.
  • In the “Console” tab you will see a warning if your certificate will be distrusted by a future Chrome release.

What should I do if I am using an impacted certificate?

  • Impacted certificates purchased before June 1, 2016 will need to be reissued before Chrome 66 beta (March 15, 2018), or Chrome 66 stable (April 17, 2018).
  • Impacted certificates purchased before December 1, 2017 will need to be reissued before Chrome 70 beta (September 13, 2018), or Chrome 70 stable release (October 23, 2018).

Your certificate may expire before it is distrusted in Chrome, in which case you don’t have anything to worry about because any new certificates issued after December 1, 2017 will be trusted.

If your current certificate will be distrusted by Chrome before you would normally renew it, then you will need to have that certificate reissued. Fortunately, there is usually no cost to reissue a certificate.

To check when your SSL certificate was purchased and when it expires, you can use the Google Chrome developer tools:

  • Press F12 to open the developer tools.
  • Navigate to the “Security” tab.
  • Click “View certificate.” From there, you should be able to see the “Issued On” and “Expires On” dates.
Facebooktwittergoogle_pluspinterestlinkedintumblrmail  rss