Google, Apple, and Mozilla recently announced that they will distrust “ALL” Symantec-chained SSL/TLS certificates later this year, signaling to website developers that they need to adopt approved security certificates to ensure visitors to their sites are not exposed to attackers.
The new security policies of the three well-known web browsers will apply to all Symantec-issued security certificates, rather than existing policies that only distrust TLS certificates issued by Symantec before June 1, 2016. These will cover certificates issued by Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL that are owned by Symantec.
No more Symantec certs from next year
According to Apple, the company’s products will start distrusting all Symantec Certificate Authorities by Fall this year that were issued before June 1, 2016 or after December 1, 2017. Certificates issued between these two dates will continue to be trusted if the certificate’s Signed Certificate Timestamp (SCT) date is before December 1, 2017 and they meet Apple’s CT Policy. However, these will be active only for a limited period as Apple will fully distrust all Symantec CAs at a later date.
Google has also announced that the upcoming Chrome 73 update will ensure that all Symantec CAs will be distrusted and will replace an existing policy that protects companies that rely on Symantec security certificates pre-dating June 2016. Chrome 73 is expected to arrive in January 2019 which means that website developers have only a few months to adopt certificates issued by trusted CAs.
Similarly, Mozilla’s upcoming Firefox 63 update, which is scheduled to release on October 23rd this year, will distrust any TLS certificate that chains up to a Symantec root, regardless of when it was issued. The existing Firefox 60 version distrusts certificates issued by Symantec before June 1, 2016.
Thousand of sites still using Symantec-issued certs
Mozilla has warned that even though many major browsers will start distrusting all Symantec-issued certificates later this year, as many as 3.5 percent of the top 1 million websites are presently using Symantec certificates. However, it ias expressed hope that a large proportion of websites will feature fresh certificates by the time Firefox 63 is released.
“This number represents a very significant impact to Firefox users, but it has declined by over 20% in the past two months, and as the Firefox 63 release approaches, we expect the same rapid pace of improvement that we observed with the Firefox 60 release,” it added.
“Businesses were already aware of Google’s plans to distrust Symantec certificates later this year, but Mozilla has highlighted 3.5 percent of the top 1 million sites are yet to act. It is likely that some of the world’s largest banks, retailers, insurers and cloud providers need to replace the identifies of these certificates, which inform users their transactions are secure. Being able to issue, replace, and recover from incidents involving keys and certificates with speed and agility is more vital than ever,” says Kevin Bocek, Chief Cybersecurity Strategist at Venafi.
“Solving this problem will be a huge challenge for organisations and governments. Recent similar events have shown how challenging most organisations find this process – the US federal government, for example, was given 18 months to install certificates on all web servers and failed. One year after Heartbleed, over half of ‘global 2000’ businesses still couldn’t fully remediate Heartbleed by changing out keys. With the deadline looming, businesses can no longer be complacent,” he adds.