Washington, DC - On Tuesday, April 17, Google will push the newest version of its web browser, Chrome 66, to stable, effectively distrusting any Symantec CA brand (Symantec, GeoTrust, Thawte and RapidSSL) SSL certificate issued before June 1, 2016. Once Chrome 66 goes live and its users begin to update their browsers, any website still using one of the affected Symantec CA brand SSL certificates will be slapped with a browser warning.
Put simply: If your Symantec CA brand SSL certificate was issued before June 1, 2016, and you haven’t re-issued it off the DigiCert roots, 60.4% of US internet users will not be able to access your website without clicking through a warning.
It should go without saying that this is a big deal. I don’t have to quote you a study to make you realize that almost no one clicks through the warning.
So, before you go any further with this article, stop what you’re doing and use this tool to check if you’re going to be affected by Tuesday’s distrust.
Tool: Symantec Reissue Checker
Once again, this is for anyone using a Symantec, GeoTrust, Thawte or RapidSSL certificate issued before June 1, 2016.
Why is Google Distrusting Symantec?
This entire situation started back in 2015 when Google contacted Symantec about some potentially mis-issued SSL certificates. That situation, in and of itself, was fairly negligible. But, the following year, when Google became aware of additional mis-issuances, it became of greater import because now Google could make the argument that it was losing trust in Symantec’s PKI.
Google argued that Symantec was not properly overseeing several of the region authorities it used to perform validation around the world. This, coupled with what Google now argued was a pattern of mis-issuances, set the grounds for the distrust. Symantec eventually went into negotiation with Google and agreed to partner with another Certificate Authority so that it could continue to issue certificates while simultaneously rebuilding its Public Key Infrastructure. The best way to accomplish this, in Symantec’s eyes, was to sell the CA part of its business to DigiCert, who would continue to operate it pretty much as is, with the exception of what roots the new certificates would now chain to.
Who was right? Google or Symantec?
That’s a complicated question. Let me start by saying that Hashed Out operates with a considerable degree of autonomy from The SSL Store, but it is worth noting that The SSL Store was a platinum elite partner with Symantec (and now with its new owners, DigiCert). That being said, Google was right about the mistakes that Symantec had made. And considering one of the mis-issued 2016 test certificates was for Google.com, it had a right to be pissed.
At the same time, Symantec wasn’t incorrect when it noted that no real world harm actually occurred. While they disagree on the number of mis-issued test certificates (33 vs. 30K – quite the range), nobody misused any of the certificates. Nobody lost money. No one died.
Google’s decision was a bit draconian. And I’m hedging by add “a bit.” It’s quite a leap to go from, “you mis-issued some test certificates” to “now I’m going distrust every SSL certificate that’s ever been issued off these roots.” It’s worth noting that Google (and Mozilla to some extent) were likely also trying to make an example out of Symantec, too. But as we will see on Tuesday, this is going to end up being massively disruptive in a way that I think few of the people who pushed for this expected.
But, there’s plenty of times for relitigating the dispute between Symantec and Google. There’s not much left time to re-issue if you’re using an affected certificate.
Google will Distrust ALL Symantec CA Brand SSL Certificates in October
We don’t know the exact date – likely around the weekend of October 23rd – but with the release of Chrome 70 any Symantec CA Brand SSL certificate not issued after December 1, 2017 on the DigiCert PKI will be distrusted. That means if you haven’t re-issued your certificate yet, then you have until October or Google will disturst your website’s certificate.
Obviously we’ll continue to remind you up until that point.
As for the April 17 deadline, once again, use the Symantec Re-issue tool to make sure you won’t be affect. And if you are, don’t waste any more time. You have just a few hours left before it’s too late.