With the recent release of Chrome 63, Google started warning developers of the impending distrust of Symantec SSL certificates, (about one sixth of all SSL certificates in use today,) as well as those issued by other Subordinate Certificate Authorities that use the Symantec root certificate like GeoTrust, VeriSign, Equifax, Thawte and RapidSSL. As the defacto industry leader on browser security, this is part of Google's three step plan to punish Symantec for mis-issuing certificates and Firefox has followed suit.
For some historical context, Symantec and several of their regional partners issued over 30,000 SSL certificates which did not comply with the industry-developed CA/Browser Forum Baseline Requirements. This was the final straw in a string of incidents over the past several years which degraded trust in Symantec as a Certificate Authority.
Google's plan is split into three stages, the first of which already started:.
Stage 1 - Downgrade Symantec to a SubCA, and warn developers in Chrome
In June of 2017, Symantec agreed to become a Subordinate Certificate Authority (SubCA) as of December 1st, 2017, essentially requiring a more trustworthy company to vouch for the validity of Symantec's certificates. However, in August of 2017, Symantec sold their CA business to DigiCert for $950 million, washing their hands of the need to build a new SubCA business.
In the meantime, as of Chrome 63, developers started seeing warnings in the Developer Console that the certificates will eventually be distrusted.
Stage 2 - Partial distrust of Symantec certificates in Chrome
Starting with Chrome 66, estimated to be released in April 2018, Chrome will start showing SSL warnings for any Symantec certification issued before June 6, 2016. Mozilla's Firefox browser will follow suit on May 8th.
Stage 3 - Total distrust of Symantec certificates in Chrome
Starting with Chrome 70, estimated to be released in October 2018, Chrome will show user-visible errors for any website still using a Symantec certificate issued before December 1st, 2017. Mozilla's Firefox browser will follow suit on October 23rd.
How to Keep Your Site Secure with SSL
A valid SSL certificate is a crucial part of both realized and perceived site security. So what should you do to keep your site safe?
- All website owners should evaluate whether their certificates, or any certificates used by third party tools, are affected.
- If your certificates are affected, and were issued before June 6th, 2016, work with your developers to replace the certificate immediately.
- If your certificates are affected, and were issued after December 1st, 2017, you'll need to work with your developers to replace the certificates by mid-September, 2018 at the latest.
- If any of the third party tools your site interacts with are affected, contact their developers to find out when they'll be updating their certificates. Keep in mind that if your site includes third party assets from an affected website, any page those assets are included on could be flagged as insecure.