When a website has an SSL certificate installed it needs an authoritative body to basically “vouch” for them. Every secure website using an SSL certificate will have a certificate authority that has ‘authorised’ their certificate. You can learn more about SSL security here.
Symantec also own and operate a number of other Certificate Authorities such as VeriSign and GeoTrust. Google have proposed that all certificates using Symantec or it’s subsidiaries as a certificate authority will gradually be distrusted. Each new version of Chrome will significantly reduce the amount of time a Symantec certificate can be valid for. This will reduce the period of time a Symantec certificate is valid to 9 months by early 2018.
For websites that use “Extended Validation” certificates, meaning that they display the green bar in Chrome and offer the highest level of validation, Google suggests untrusting Symantec certificates immediately. Meaning that the next Chrome update could potentially break any website using Symantec EV certificates or label them as “untrusted” to end users.
Why is this happening now?
An investigation where Symantec was unable to produce data on how it’s partners were validating companies is cause for concern. The security giant has also admitted to mis-issuing 127 certificates. In 2015 Symantec employees were fired after it was found they were issuing rogue SSL certificates for internal use. But for Google it’s too little, too late. Digital security is entirely based around absolute true and Google feels that they can no longer trust Symantec. In particular when it comes to validating requests for SSL certificates.
When will this happen
Google propose not trusting any EV certificate from Symantec or it’s subsidiaries, but it hasn’t happened yet. There are still a number of websites using Symantec issued certificates which have an expiry of longer than 9 months. These websites are still working fine in the latest development version of Chrome. Symantec has said it will reissue all certificates, effectively curbing to Google’s demands. This won’t be an easy fix however, as Symantec certificates make up around 30% of all those on the web. It also means website administrators will need to install the new certificates, potentially creating hours of work for agencies and web developers.
Beyond Chrome, Mozilla, the company behind the popular Firefox browser are also discussing the issue and are making a similar noise. Apple and Microsoft generally follow Google’s lead when it comes to this kind of issue so when the new rules come into effect in Chrome, we expect to see Firefox, Edge and Safari follow suit soon after.
What does this mean for Web Administrators?
If you’re using one or more Symantec EV SSL certificates, we recommend you act soon. Your choices are;
- To work with Symantec as they reissue new certificates which comply with Google’s new rules and install a new Symantec certificate
- Install a certificate from using a different provider, to circumvent the issue entirely. COMODO and GoDaddy are both
For any other Symantec SSL certificate, be aware that you may need to install a new certificate sooner than expected.
Using this you can see for that for example; Chrome 61 will not accept any Symantec certificate that is valid for more than 21 months or 651 days. The approximate release calendar is available here.
What does this mean for Business Owners?
If Appeal managed your website, it will use SSL certificates that are authorised by COMODO, the global leading brand for SSL security. This issue won’t affect your website.
Unsure if your website is using an Symantec certificate? Do note that Symantec does operate under other names. If you’re unsure, get in touch with us and we’d be happy to check your website security.
If you’re a business owner with a website that isn’t currently using any certificate, please be aware that as of January this year Google Chrome will flag your website as “Not Secure” to your users! We’d recommend maybe steering clear of Symantec for now but definitely investing in SSL security for your website.
What does this mean for Everyone Else?
Things may get a bit choppy for a while. The “Secure” address bar is secure enough for websites that don’t take sensitive information such as payment and bank details. However you should always look for extended validation (company name in the address bar) when handing over payment information or other private data. A number of genuine sites could suffer from Google’s new rules, but there’s also a very high probability that scammers will jump at the chance to take advantage.
You can read the original Google Groups message from Ryan Sleeve here.
And Symantec’s response was available here.