Reminder: Popular Browsers To Distrust Symantec SSL/TLS Certificates Starting In October


This is a final reminder that legacy TLS certificates issued by Symantec, including those issued by authorities like Thawte, Geotrust, and RapidSSL which used Symantec as a central authority, will be distrusted by both Google Chrome and Mozilla Firefox beginning in October. Apple products have partially distrusted these certificates and plan to also distrust the full set of certificates at some point in Fall 2018. Digicert has acquired the Certificate Authority (CA) and its infrastructure, and is issuing free replacement certificates for all affected customers. If you have already replaced your certificate, no action is needed.

Mozilla has estimated around 1% of the top million websites are still using certificates which will no longer be accepted by most web browsers in the next month, despite the year of warning. If you are currently using Firefox or Chrome, you can simply visit your website and check the browser console (Ctrl+Shift+J in Windows and Linux, or Cmd+Shift+J on Mac for Firefox and Cmd+Option+J for Chrome) to see if your certificate is in danger of being distrusted. If you use Firefox Nightly or Chrome Canary you may already see the standard “Invalid Certificate” warning rather than your site.

Example warning from the Chrome console for a site with an affected certificate

Why Is This Happening?

When we last reminded our users about this 6 months ago, questions like “Why do browser vendors care?” and “Why is this happening?” filled the comments section of the post.

Browser vendors care because these certificates are used to verify you are connecting to the server you intended. Without getting buried in technical details of public key cryptography and certificate chains, this is done by having a pool of central authorities that verify an issued certificate goes to the proper owner of a website. Your computer has a list of trusted authorities stored on it, and compares every certificate it sees to this list. This means that, in addition to encrypting the data in transit between you and the server, you can also be assured that you are communicating with the correct server. This prevents actions such as a Man In The Middle (MITM) attack, where a malicious actor attempts to intercept or alter traffic between a user and a server.

The challenging part of being a Certificate Authority (CA), like Symantec was, is properly verifying who is being issued a certificate, which leads us to why this change is taking place. Back in 2016, users noticed Symantec issuing certificates against certain guidelines, and posted this information to a Mozilla security mailing list. This was the latest in a series of problems with the Symantec CA. After much discussion between other major CAs, the decision was made to distrust Symantec and remove it as an authority. If you’re curious about further technical details, the majority of this discussion was conducted via public mailing lists available online.

This is a final reminder, as the next upcoming browser releases will entirely distrust these certificates. Please check your site and replace the certificate as needed!

Did you enjoy this post? Share it!

Comments

7 Comments
  • The Mac shortcut to check the browser console listed in this article is incorrect. For Mac it is Cmd+Option+J. You should fix this.
    If my website is listed as "not secure", is this a problem? It is a general information website, and I don't accept credit cards nor does it contain client information.

    Thank you.

    • Thanks for the heads up Pamela! Looks like it's Cmd+Shift+J for Firefox according to their documentation, but Cmd+Option+J in Chrome. I'll get that updated!

      To your other question, in short it's nearly always an excellent idea to make use of HTTPS where possible. Search engines are weighting results towards HTTPS where available, and it shows your users that you care about their privacy while they view your site. Even if your users aren't inputting sensitive data, an insecure connection allows third parties along the way, like network administrators and ISPs, to inspect or alter this traffic.

  • I run a small church website, we don’t even allow comments and don’t ask for or hold personal information on our website. As a consequence we don’t have a certificate and don’t encrypt our pages. Some virus checkers already mark us as “not secure”.

    Our standard comment on this is: “This website does not use cookies (to our knowledge anyway). We don’t hold any information from our users.

    Cookies, scones and other cakes are available at our regular cake sales – see notices for upcoming cake opportunities…”

    Will the tightening up on TLS certificates by distrusting them have any effect on small information only sites such as ours?

    • The Symantec news shared here won't have any impact on sites that aren't currently using a Symantec-issued certificate. If you do not currently make use of any cert, you won't need to worry about this case.

      As far as when to use HTTPS, I gave a little more detail in a reply to a previous comment but in general you should make use of it on every site.

  • Thanks for the head up.

  • Mikey, I think mine was issued upon opening my website wirh my host provider. Is this something I don't have to worry about if I pay for it along with my hosting with siteground?

  • While websites aren’t “required” to have an SSL certificate, Chrome users now see a warning for sites that are not secure. It would make sense to use one. At least get a free SSL from Let’s Encrypt. I install one for all my website customers.