Earlier this year, Google expressed its concern for the safety of those visiting sites that had SSL certificates from Symantec and promised to do something about it. Now, the company outlined its plans to deprecate Symantec-issued certificates in Chrome.
The whole situation kicked off in January when it became known that a series of questionable website authentication certificates had been issued by Symantec Corporation’s PKI. During the investigation, it became apparent that Syantec had entrusted third party organizations with the ability to issue certificates without the necessary oversight, creating security gaps. This wasn’t the first time that something similar had happened with Symantec, but it was the last straw Google was willing to take. Essentially, the SSL certificates were handed over despite not all conditions being met. Since users rely on seeing that “safe” note in the address bar, they could take these sites as being safe too, when they weren’t.
The two companies worked together and Symantec selected DigiCert to run an independent Managed Partner Infrastructure. It also decided to sell the PKI business to DigiCert so it could build a trusted infrastructure. It is expected that DigiCert will start issuing certificates this December.
So what happens next? Well, starting with Chrome 66, Chrome will remove trust in certificates Symantec issued before June 1, 2016. This particular Chrome version is scheduled for released sometime in March as Beta and April will see the stable version released too.
Site operators that hold such a certificate will once more have to go through all the hoops to get a new certificate. They’ll have until March 15, 2018, to do this.
Starting this October, however, with the release of Chrome 62 Stable, sites affected by the certificate issue will start getting flagged.
Symantec’s SSL issues
According to Google’s timeline, Chrome 70’s release will bring additional steps against this issue as any certificate chaining to Symantec roots, except for a small number issued by the independently operated and audited subordinate CAs Google previously disclosed.
The company notes that this will be an inconvenience to site owners who need to get certificates from Symantec’s old infrastructure before December 2017 when DigiCert takes over, as they’ll have to go through another round of certificate replacement before Chrome 70 goes live.
Taking into consideration that Chrome is the most used browser in the world, with StatCounter attributing it 54.89% of the global market, the impact will be great. These sites won’t be able to just shrug their shoulders and postpone taking action if they want to still get any traffic.