Symantec certificates: the chopper falls in Chrome


In July 2017, Google announced its intention to no longer trust certificates issued by Symantec. This drastic decision was the result of a long debate about the trustworthiness of the Symantec Certification Authority: the company has increased partnerships with third parties and let them issue certificates that do not respect the state of the art. art in security and transparency. This statement led to a veritable battle between Google and Symantec: Google took the opportunity to highlight its initiative Certificate Transparency while Symantec was forced to abandon its activity as a certification authority. But the major browsers had followed Google and announced their intention to no longer trust the certificates issued by Symantec and its partners (Symantec, Thawte, Verisign, RapidSSL and GeoTrust.) According to the ads, Google announces that the version 70 of Chrome will no longer trust certificates issued by Symantec and its partners. Version 66 had already blocked previous certificates in June 2016 and this version 70 extends the measurement to all certificates based on the Symantec root certificate. This change will mean that the sites that use the certificates in question will no longer be available to Chrome users from version 70, scheduled for October 16th. The browser will instead display a warning that the page in question is not secure and will require manipulation to allow the user to view the page.
But if Chrome has announced its plans for a long time, websites have not necessarily all adapted to this new situation. As TechCrunch reports, a security researcher did a quick census and counted just over 1,100 sites still using one of the certificates affected by Google's decision. These sites are among the list of the most viewed sites on the web.
Firefox plays the watch
This is particularly the situation that pushes Firefox to adopt a slightly different attitude: in a blog post published Wednesday, Mozilla teams explain that the disapproval of the certificates in question was initially planned to be implemented with version 63 of its browser but it will eventually be postponed to allow web site administrators time to update their certificates. Mozilla estimates the number of sites using Symantec certificates at 1% of the global web, and explains that "moving this measure from Firefox 63 Nightly to Beta would have a significant impact on users. Firefox opts for a short delay and announces its intention to postpone this change to version 64 of Firefox, which will be released in the month of October.
Firefox and Chrome are not the only browsers to take action on Symantec certificates: Edge also released on this topic in early October. In a post, Edge browser officials say they will gradually stop trusting Symantec certificates by following the calendar published by Digicert, which programs the gradual expiration of certificates from the end of September 2018 to March 2019. Safari, the browser of Apple, also released in June to explain that his browser would adopt a similar progressive approach, which began in July 2018.
Sites that use one of these certificates therefore have every interest in updating themselves if they do not want to be blacklisted by the main browsers. In particular, the case led Symantec to cede its certificate authority business, which is now taken over by Digicert. These offer to replace free certificates with new compliant certificates: Symantec details the renewal procedure on a dedicated page.

Leave a Reply

Your email address will not be published. Required fields are marked *