Late last year Google announced that it will no longer trust digital certificates issued by Symantec.
The first phase began at the end of last year when Symantec began to “outsource” the issuance of certificates to another trusted Certificate Authority (CA).
The second phase is scheduled to begin sometime after Mid-April 2018 with Chrome version 66. With this version, website visitors will be warned that their connection is not private and someone may be trying to steal their information. They will have to click past the warning to get to the website.
The third phase is estimated to begin in October. At that time, Chrome will no longer trust Symantec certificates that were issued before Phase 1 began. So, now is the time to be proactive so that you don’t have issues in the future!
Why is Google doing this?
In March 2017, Google and Mozilla engineers discovered that Symantec had incorrectly issued over 100 SSL certificates. This means that they had issued certificates to websites when they shouldn’t have. As further investigations continued, more and more issues were found. As Symantec is one of the largest “trusted” CAs on the market, this was very disturbing as all of the major web browsers had trust that any website that uses a Symantec SSL certificate is in fact the website that it claims to be. Now that this trust has been broken, Google has decided to ultimately revoke trust of all Symantec certificates on Chrome.
What is affected?
This affects users of Chrome browser version 66 and newer, but warnings have been seen since version 62.
Specifically, this involves:
- Symantec certificates issued
- All Symantec Root trusted certificates (including certificates issued by other vendors that use Symantec trusted roots such as Thawte, GeoTrust, and RapidSSL)
Note: all Symantec issued certificates older than June 2016 must be replaced
What to do
If any of your web servers are using a Symantec certificate you will need to update it. You should update your website with a new certificate from any Certificate Authority trusted by Chrome.
While this is only going to affect Chrome users, other browsers, like Firefox, appear to be following the lead by Google and will also be removing trust for Symantec certificates. It is better to be proactive rather than to have users not being able to confidently connect to your website!
Do you have questions or need help determining if your website is impacted by this upcoming change to Google Chrome? Email firstname.lastname@example.org. We are happy to help!