{"id":6361,"date":"2017-09-27T00:01:06","date_gmt":"2017-09-27T04:01:06","guid":{"rendered":"https:\/\/www.cscdigitalbrand.services\/blog\/?p=6361"},"modified":"2018-02-21T16:07:52","modified_gmt":"2018-02-21T21:07:52","slug":"with-symantec-certs-untrusted-by-google-and-others-make-sure-your-domain-is-secure","status":"publish","type":"post","link":"https:\/\/www.cscdbs.com\/blog\/with-symantec-certs-untrusted-by-google-and-others-make-sure-your-domain-is-secure\/","title":{"rendered":"With Symantec Certs Untrusted by Google and Others, Make Sure Your Domain is Secure"},"content":{"rendered":"

Why are SSL certificates such a big deal?<\/span><\/h2>\n

Digital certificates, or secure sockets layer (SSL) certificates encrypt internet data traffic and verify the owner of a domain name for security purposes, ensuring all data exchanged stays private. Internet users notice them through the telltale green padlock or HTTPS in the browser search window.<\/p>\n

Extended validation (EV)\u00a0SSL certificates, in particular, are intended to provide the highest levels of trust, with enhanced assurances of a site\u2019s authenticity. SSL issuing Certificate Authorities are expected to conduct certain functions to ensure domain security, including \u201c… properly ensuring that domain control validation is performed for server certificates, to audit logs frequently for evidence of unauthorized issuance, and to protect their infrastructure in order to minimize the ability for the issuance of fraudulent certificates.\u201d1<\/sup><\/p>\n

Why Google is Deprecating Symantec SSL certificates<\/span><\/h2>\n

\"Secure<\/a>But in 2015, Symantec\u2014a popular Certificate Authority\u2014ran into problems when it was discovered their certificate resellers were issuing test certificates\u2014including their EV certificates\u2014without permission from domain holders. Google\u00ae<\/sup> domains were covered under Symantec certificates.<\/p>\n

The mis-issuance of certificates not only caused Google to lose trust in Symantec certificates, but it also exposed websites and web services to man-in-the-middle cyber attacks. Hackers who obtain unauthorized certificates for domains they do not own can potentially intercept and decrypt web traffic, exposing sensitive personal information. So as a result of an audit, an independent investigation, and Google\u2019s own research that revealed the number of improperly issued certificates could exceed 30,000, Google announced in March 2017 its plans to deprecate all Symantec EV SSL certificates held by any domain through its ChromeTM<\/sup> browser.<\/p>\n

What it means when Google Deprecates Symantec SSL certificates<\/span><\/h2>\n

Google\u2019s Chrome browser will flag sites that are unprotected to warn consumers that transactions across these websites is unsecure. This applies to any certificate in the Symantec family, including Thawte, Geotrust, and RapidSSL. Nullified certificates that are not replaced would lead to disruption of websites and online services. But because Symantec is one of the largest suppliers of HTTPS certificates (30%), and invalidating them all at once would cause chaos, Google has proposed a phased plan2<\/sup>, as follows:<\/p>\n