Google this week announced a final timetable for withdrawing support in the Chrome browser for websites that use Symantec-issued authentication certificates.
The timetable gives organizations that are using Symantec authentication certificates to replace them or risk having their sites flagged as unsafe by the Chrome browser after the final deadline passes.
In an announcement on Google’s Security Blog, members of the Chrome security team posted a timeline indicating the exact dates by which site operators will need to obtain new certificates from any certificate authority that is trusted by Chrome.
Google’s schedule gives site owners up to March 15, 2018 to replace Symantec Transport Layer Security (TLS) certificates that were issued before June 1, 2016. By mid-September next year, those sites with Symantec certificates dated after June 1, 2016 will need to replace them as well with new ones from either Symantec or any other certificate issuing vendor.
Starting with release 70 of Chrome on Sept 13, 2018, the browser will distrust all existing Symantec- issued TLS certificates.
This week’s blog post is designed to give website owners actionable information about the steps that Google has said it will take after an investigation earlier this year prompted questions about Symantec’s diligence in issuing certificates to site owners.
As a so-called Certificate Authority (CA), Symantec is one of several companies worldwide entrusted with the responsibility for issuing the cryptographic certificates, which are used to authenticate websites.
Browsers such as Chrome use these certificates to verify the identity of websites and to make sure that a site, which purports to belong to a specific internet domain, actually does belong to it. Sites that are properly authenticated and deemed safe usually have a green padlock or some other similar icon in the URL bar.
Improperly issued certificates can have critical consequences and among other things allow threat actors to spoof legitimate sites. A threat actor that managed to obtain a mistakenly issued digital certificate for Google.com for instance could spoof a Google site that would be trusted implicitly by all major browsers. This would allow the threat actor to use the spoofed site to distribute malware to website visitors.
In January, security engineers at Mozilla, the organization behind the Firefox browser publicly reported what they described as serious irregularities in Symantec’s handling of the certificate issuance process. The researchers noted that they had come across several instances where Symantec had wrongly issued certificates for specific domains without any authorization from the domain owners.
A subsequent investigation by Google showed that Symantec had improperly allowed four third parties to access its digital certificate issuance infrastructure and issue certificates on its behalf. Google claimed its investigation showed that Symantec in its role as a CA had allowed 30,000 certificates to be improperly issued, even as Symantec itself pegged the number at 127.
The disclosures this year about problems with Symantec’s certificate issuing process marked the second time since October 2015 that the company was caught doing the same thing. In the 2015 incident, Symantec admitted that it had improperly issued a total of 23 test certificates covering five organizations, including Google and Opera.
Google has claimed that its decision to distrust—or deprecate—all Symantec’s certificates stems from the company’s systemic failure to follow industry norms. Google has said the only way Chrome will be allowed to trust Symantec certificates again is if the certificates are issued from a completely new infrastructure and with proper oversight.
At least partly as a result of the pressure from Google, Symantec in August sold its digital certificate business to DigiCert for just under $1 billion and a 30 percent stake in the common stock of the company.
Current plans call for DigiCert to start issuing new certificates to Symantec customers starting later this year. Google says DigiCert is one of the authentication certificate authorities that Chrome will continue to trust after Sept. 13, 2018.