Decreasing Confidence in Symantec PKI: Recommendations to Site Owners

Hi Habr, earlier in our security blog, we announced plans to reduce Chrome’s confidence in Symantec certificates (including Symantec-owned brands like Thawte, VeriSign, Equifax, GeoTrust and RapidSSL). This post describes how site owners can determine if they will be affected by reduced confidence in Symantec certificates, and if so, what to do and when. Failure to replace these certificates will result in a site crash in future versions of major browsers, including Chrome and Firefox.

Chrome 66

If your site uses an SSL / TLS certificate from Symantec, which was released before June 1, 2016, it will no longer function normally in Chrome 66, which in turn may affect your users.

If you are not sure whether your website uses such a certificate, you can now check whether your website is at risk using Chrome Canary . If a certificate error or warning in DevTools is displayed when you go to your website, as shown below, you will need to replace the certificate. You can get a new certificate from any trusted CA , including Digicert, who recently acquired CA Symantec's business.

An example of a certificate error that Chrome 66 users can see if you are using a Legacy Symantec SSL / TLS certificate that was released before June 1, 2016

In the DevTools message, you will see if you need to replace the certificate before the release of Chrome 66

Chrome 66 is already available in the Canary and Dev distribution channels, which means that the affected sites are already showing errors to users of these versions of Chrome. Moreover, if the affected sites do not replace their certificates by March 15, 2018 , then soon Chrome Beta users will also experience inconvenience. We strongly recommend and ask site owners to replace certificates as soon as possible if an error is displayed on your site when browsing using Chrome Canary.

Chrome 70

Beginning with Chrome 70, all other Symantec SSL / TLS certificates will stop working, resulting in a certificate error similar to that shown in QDPV. To check if your certificate is at risk, go to your website using Chrome and open DevTools. A message should be displayed in the console to replace the certificate.

In the DevTools message, you will see if you need to replace the certificate before the release of Chrome 70

If you see this message in DevTools, we recommend replacing the certificate as soon as possible. If the certificate is not replaced, users will begin to see certificate errors on your site from July 20, 2018 inclusive . The first version of the beta version of Chrome 70 will be available around September 13, 2018.

Chrome issues timeline

The table below shows the first version of Canary, First Beta and Stable Release for Chrome 66 and 70. The first impact of this version will coincide with the first canary, which will be constantly expanded as the release falls on the beta version, and then eventually on Stable . Site operators are urged to make the necessary changes to their sites before the release of First Canary for Chrome 66 and 70 and no later than the corresponding release dates of the beta version.

By the way, you can always get detailed information about the release timeline for a specific version of Google Chrome in the development calendar of the Chromium project .

In order to meet the needs of corporate users, Enterprise Policy will be added to hrome, which will disable distrust of Legacy Symantec PKI, starting with Chrome 66. This policy will no longer be available after January 1, 2019, respectively, certificates from Legacy Symantec PKI no longer trusted for all users.

Special mention: Chrome 65

As noted in the previous announcement , the Legacy Symantec PKI SSL / TLS certificates issued after December 1, 2017 are no longer trusted. This should not affect most site owners, because To obtain such certificates a special agreement with DigiCert is required. Access to sites using such a certificate will fail, the request will be blocked for Chrome 65.