DigiCert bought Symantec Website Security: implications for users of SSL / TLS certificates
Last spring, Google noticed that Symantec provided the opportunity to issue certificates to at least four organizations, but failed to provide the necessary level of monitoring of their activities and compliance with service standards. As a result, Google has initiated a “procedure for terminating confidence” in Symantec certificates.
To fix the problem, Symantec decided to sell the technology and PKI of DigiCert. At the end of October 2017, the transaction was closed . Under the cat we talk about the details of the "termination of trust" to the certificates of Symantec and the consequences for users.
/ Flickr / Yuri Samoilov / CC
')
When working with SSL certificates, CAs (CA - certification authority) adhere to regulations approved by the CA / Browser Forum consortium, which unites browser, operating system developers and PKI applications and root certification centers. And in the spring of last year, Google accused Symantec of not complying with these regulations when issuing certificates to legal entities.
The claims related to certificates with extended verification, the so-called EV-certificates ( Extended Validation ). They first appeared 11 years ago and are needed for web resources that process financial transactions. To issue such a certificate, the CA must establish the identity of the domain owner. In Symantec, this check was conducted with violations, so it was impossible to guarantee compliance with the standards of service by the certificate holder.
According to a study conducted by the founder of SSLMat, Andrew Ayer, about 100 certificates were issued with violations. In response, Google initiated the process of terminating confidence in Symantec certificates. Mozilla supported the initiative.
To solve the trust problem, Symantec needed to upgrade millions of client certificates and re-assess the identity of the owners of web resources. This process would require too much time and money, so the company decided to sell its CA-business to DigiCert - the value of the deal was $ 950 million.
The process of terminating trust will begin on March 15 of this year - during the release of the beta version of Chrome 66. At this point, the browser will no longer trust the certificates that Symantec issued before June 1, 2016 using the old infrastructure.
And on December 23, 2018, when Chrome 70 will be released, support for Symantec certificates will cease altogether. The process will go into several stages, as Google has listened to requests from the IT community to give time to reissue certificates.
Note that the loss of trust will also affect CA certificates associated with the Symantec SSL SSL root certificate - this is GeoTrust, Thawte and RapidSSL. Stop working with Symantec certificates (issued using the old infrastructure) and resellers of SSL certificates, including 1cloud.
Since December 1, 2017, DigiCert has already issued Symantec certificates based on new infrastructure, which Google does not consider "dangerous". We also work with these certificates in 1cloud.
Former Microsoft Cryptographic Ecosystem project manager Jody Cloutier (Jody Cloutier) says that the new acquisition of DigiCert will only increase investment in the development of the company's products and platforms.
At the same time, Symantec customers can order certificates in the same way as they did before, and use the same management tools: technical support contacts, contract numbers, brands, and validity periods remain the same.
However, certificates subject to restrictions by Google and Mozilla still need to be replaced. Representatives DigiCert assure that the replacement will be made free of charge at a convenient time for users. All customers who need to renew the certificate will receive a reminder and a guide with a sequence of actions. However, they can always contact support on their own and get individual advice.
The sale of new certificates will be carried out under the standard conditions of the DigiCert company. For more information about SSL services, you can find on the official website .
If the certificate "falls under the replacement", it must be reissued, so that visitors to your site will not be confused by Google alerts about the vulnerability of the resource. We propose to follow these rules:
To fix the problem, Symantec decided to sell the technology and PKI of DigiCert. At the end of October 2017, the transaction was closed . Under the cat we talk about the details of the "termination of trust" to the certificates of Symantec and the consequences for users.
/ Flickr / Yuri Samoilov / CC
')
Why have sold
When working with SSL certificates, CAs (CA - certification authority) adhere to regulations approved by the CA / Browser Forum consortium, which unites browser, operating system developers and PKI applications and root certification centers. And in the spring of last year, Google accused Symantec of not complying with these regulations when issuing certificates to legal entities.
The claims related to certificates with extended verification, the so-called EV-certificates ( Extended Validation ). They first appeared 11 years ago and are needed for web resources that process financial transactions. To issue such a certificate, the CA must establish the identity of the domain owner. In Symantec, this check was conducted with violations, so it was impossible to guarantee compliance with the standards of service by the certificate holder.
According to a study conducted by the founder of SSLMat, Andrew Ayer, about 100 certificates were issued with violations. In response, Google initiated the process of terminating confidence in Symantec certificates. Mozilla supported the initiative.
To solve the trust problem, Symantec needed to upgrade millions of client certificates and re-assess the identity of the owners of web resources. This process would require too much time and money, so the company decided to sell its CA-business to DigiCert - the value of the deal was $ 950 million.
Confidence Termination Procedure
The process of terminating trust will begin on March 15 of this year - during the release of the beta version of Chrome 66. At this point, the browser will no longer trust the certificates that Symantec issued before June 1, 2016 using the old infrastructure.
And on December 23, 2018, when Chrome 70 will be released, support for Symantec certificates will cease altogether. The process will go into several stages, as Google has listened to requests from the IT community to give time to reissue certificates.
Note that the loss of trust will also affect CA certificates associated with the Symantec SSL SSL root certificate - this is GeoTrust, Thawte and RapidSSL. Stop working with Symantec certificates (issued using the old infrastructure) and resellers of SSL certificates, including 1cloud.
How it will affect users
Since December 1, 2017, DigiCert has already issued Symantec certificates based on new infrastructure, which Google does not consider "dangerous". We also work with these certificates in 1cloud.
“In fact, the line of certificates has not changed. We continue to sell them, ”says Sergey Belkin, head of the 1cloud project development department.As noted by Symantec, DigiCert specialists are well prepared and will be able to adequately adapt business processes and take customers. The infrastructure of the company is capable of supporting billions of certificates and has a wide potential for scaling.
Former Microsoft Cryptographic Ecosystem project manager Jody Cloutier (Jody Cloutier) says that the new acquisition of DigiCert will only increase investment in the development of the company's products and platforms.
At the same time, Symantec customers can order certificates in the same way as they did before, and use the same management tools: technical support contacts, contract numbers, brands, and validity periods remain the same.
However, certificates subject to restrictions by Google and Mozilla still need to be replaced. Representatives DigiCert assure that the replacement will be made free of charge at a convenient time for users. All customers who need to renew the certificate will receive a reminder and a guide with a sequence of actions. However, they can always contact support on their own and get individual advice.
The sale of new certificates will be carried out under the standard conditions of the DigiCert company. For more information about SSL services, you can find on the official website .
How to be the owner of Symantec certificates
If the certificate "falls under the replacement", it must be reissued, so that visitors to your site will not be confused by Google alerts about the vulnerability of the resource. We propose to follow these rules:
- If your SSL certificate is purchased before June 1, 2016, and it expires after March 14, 2018, you need to reissue the certificate until mid-March. During this period, Chrome 66 comes out, and its users will receive notifications from Google about the insecurity of your resource.
- If the certificate was issued from June 1, 2016 to December 1, 2017, it must be reissued before September 13, 2018, that is, before the release of beta Chrome 70. Note that if you reissued the certificate before December 1 last year, you will have to replace him again.
- Certificates purchased after December 1, 2017 are not required to be changed. However, we still advise to follow the news in this area, in case of unforeseen circumstances.
A few posts on the topic from the 1cloud blog:
Source: https://habr.com/ru/post/349382/
All Articles