Chrome To Remove Trust In Symantec-Issued SSL Certificates
In late July, the Chrome team begun to make plans to remove trust in Symantec-issued certificates. This move is said to help assure Chrome users that their security and privacy when browsing the web is never compromised. The decision was made after a serious debate that happened on the blink-dev forum whereby Symantec would be given ample time to modernize and manage its infrastructure in order to meet today’s industry standards.
The plan was created to facilitate a smooth transition to a new and independently operated infrastructure without compromising user experience and privacy. Below, we are going to review the plan and timelines to help site operators plan ahead of time and avoid being caught off-guard. Some SEO professionals had to advise their clients that they may need to obtain new certificates as a result of the transition.
How It Started
It all started in January 19th 2017 when some information was shared on the mozilla.dev.security.policy newsgroup. The posting highlighted the questionable website authentication certificates that were issued by Symantec. Symantec operates under different certificate authorities. A few popular ones include Thawte, VeriSign, Equifax and GeoTrust. These organizations have been trusted by Symantec to issue certificates on their behalf.
Issuance Of Certificates That Failed To Meet Baseline Requirements
According to the posting, these certificate authorities had issued certificates that did not comply with the CA/browser forum baseline requirements. This means that all the certificate authorities that were entrusted by Symantec had issued certificates that did not meet the required standards. The worst part is that Symantec is said to have not conducted proper oversight and was even aware of the deficiencies in these organizations for a while before taking the appropriate action.
Loss Of Confidence In Symantec- Issued Certificates
As a result, the chrome team lost confidence in the infrastructure that was being used by Symantec to issue certificates. That’s when they began to take action in regards to the certificates that had been or will be issued by Symantec. Symantec recently announced their plans to build a new trusted infrastructure. However, existing Symantec customers need to follow the steps on the timeline below in order to avoid disrupting their users during the transition.
How Does This Affect Site Operators?
Chrome 66 announced that it will remove trust in any Symantec certificates that were issued before June 1, 2016. Chrome 66 is set to be released on March 15,2018 to Beta users and on April 17,2018 to Chrome Stable users. If you have a certificate that was issued by Symantec before June 1,2016 then you need to replace the certificate before the release of Chrome 66. You can get a new certificate from any other certificate authority that is trusted by Chrome.
Symantec is also expected to switch the issuance and operation of its infrastructure to DigiCert by December 1,2017. Therefore, all the certificates that will be issued by Symantec after December 1,2017 will not be trusted by Chrome. Therefore, site operators can obtain intermediate certificate from the old infrastructure by December 1,2017. Refer to the timetable below for more information.
|Now through ~March 15, 2018||Site Operators using Symantec-issued TLS server certificates issued before June 1, 2016 should replace these certificates. These certificates can be replaced by any currently trusted CA.|
|~October 24, 2017||Chrome 62 released to Stable, which will add alerting in DevTools when evaluating certificates that will be affected by the Chrome 66 distrust.|
|December 1, 2017||According to Symantec, DigiCert’s new “Managed Partner Infrastructure” will at this point be capable of full issuance. Any certificates issued by Symantec’s old infrastructure after this point will cease working in a future Chrome update.
From this date forward, Site Operators can obtain TLS server certificates from the new Managed Partner Infrastructure that will continue to be trusted after Chrome 70 (~October 23, 2018).
December 1, 2017 does not mandate any certificate changes, but represents an opportunity for site operators to obtain TLS server certificates that will not be affected by Chrome 70’s distrust of the old infrastructure.
|~March 15, 2018||Chrome 66 released to beta, which will remove trust in Symantec-issued certificates with a not-before date prior to June 1, 2016. As of this date Site Operators must be using either a Symantec-issued TLS server certificate issued on or after June 1, 2016 or a currently valid certificate issued from any other trusted CA as of Chrome 66.
Site Operators that obtained a certificate from Symantec’s old infrastructure after June 1, 2016 are unaffected by Chrome 66 but will need to obtain a new certificate by the Chrome 70 dates described below.
|~April 17, 2018||Chrome 66 released to Stable.|
|~September 13, 2018||Chrome 70 released to Beta, which will remove trust in the old Symantec-rooted Infrastructure. This will not affect any certificate chaining to the new Managed Partner Infrastructure, which Symantec has said will be operational by December 1, 2017.
Only TLS server certificates issued by Symantec’s old infrastructure will be affected by this distrust regardless of issuance date.
|~October 23, 2018||Chrome 70 released to Stable.|