With Symantec Certs Untrusted by Google and Others, Make Sure Your Domain is Secure

Why are SSL certificates such a big deal?

Digital certificates, or secure sockets layer (SSL) certificates encrypt internet data traffic and verify the owner of a domain name for security purposes, ensuring all data exchanged stays private. Internet users notice them through the telltale green padlock or HTTPS in the browser search window.

Extended validation (EV) SSL certificates, in particular, are intended to provide the highest levels of trust, with enhanced assurances of a site’s authenticity. SSL issuing Certificate Authorities are expected to conduct certain functions to ensure domain security, including “… properly ensuring that domain control validation is performed for server certificates, to audit logs frequently for evidence of unauthorized issuance, and to protect their infrastructure in order to minimize the ability for the issuance of fraudulent certificates.”1

Why Google is Deprecating Symantec SSL certificates

Secure your domainBut in 2015, Symantec—a popular Certificate Authority—ran into problems when it was discovered their certificate resellers were issuing test certificates—including their EV certificates—without permission from domain holders. Google® domains were covered under Symantec certificates.

The mis-issuance of certificates not only caused Google to lose trust in Symantec certificates, but it also exposed websites and web services to man-in-the-middle cyber attacks. Hackers who obtain unauthorized certificates for domains they do not own can potentially intercept and decrypt web traffic, exposing sensitive personal information. So as a result of an audit, an independent investigation, and Google’s own research that revealed the number of improperly issued certificates could exceed 30,000, Google announced in March 2017 its plans to deprecate all Symantec EV SSL certificates held by any domain through its ChromeTM browser.

What it means when Google Deprecates Symantec SSL certificates

Google’s Chrome browser will flag sites that are unprotected to warn consumers that transactions across these websites is unsecure. This applies to any certificate in the Symantec family, including Thawte, Geotrust, and RapidSSL. Nullified certificates that are not replaced would lead to disruption of websites and online services. But because Symantec is one of the largest suppliers of HTTPS certificates (30%), and invalidating them all at once would cause chaos, Google has proposed a phased plan2, as follows:

  • By Dec 1, 2017, all Symantec family certificates need to be validated by a trusted third-party sub-CA–Digicert.
  • All newly-issued certificates are valid for a limited time period, suggested at nine months.
  • By March 15, 2018, all Symantec certificates issued before June 1, 2016 will be distrusted.
  • By Sep 13, 2018, all Symantec certificates will be distrusted by Chrome browsers.

Since Chrome is the most used desktop browser with close to 58% market share (Forbes), Google’s strong stance and proposal has undoubtedly made a dent in Symantec’s business. Other browsers are also likely to join the Google bandwagon, and Mozilla announced that their Firefox browser will also match Chrome’s timeline. In the latest development, on Aug 2, 2017, Symantec announced Digicert’s acquisition of its Website Security and related Public Key Infrastructure solutions.

What you can do to keep your digital assets secure

As a precaution, CSC® firmly believes it is important for companies currently holding Symantec family certificates to review their portfolio without delay, understand the potential risks involved, and make informed decisions on reissuance or replacement of their certificates.

We’re ready to talk. Contact us if you would like to request an audit of your SSL portfolio or find out more about our SSL certificates.

 

Sources:
1https://groups.google.com/a/chromium.org/d/msg/blink-dev/eUAKwjihhBs/rpxMXjZHCQAJ
2https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html