symantec trust issue

Chrome and Symantec – the Final “Trust” Solution

chrome symantec trust issue

The Google Chrome team announced in March 2017 that it had a problem with Symantec for violating industry standards related to SSL certificate issuance. This has been discussed cooperatively over the last 4 months by Google, Symantec, and other members of the internet community. On 27th July 2017, Chrome and Symantec announced their final plan to move forward.

If you operate a website that uses a Symantec SSL certificate, please read this post to see if future versions of Chrome will affect your specific certificate and how you can replace that certificate (for free) before anything goes into effect.

Are you affected?

If you are a current user of Symantec certificates or plan to purchase one in 2017, this could affect you.

As a leading Certificate Authority, there are more than an ideal amount of Symantec SSL certificates will be affected.  Note that Symantec operates multiple brands, all of which are affected:

  • Symantec
  • GeoTrust
  • Thawte
  • RapidSSL

Also, note that Mozilla Firefox will be taking a similar course of action, but at this time they have not committed to a final plan.

What changes are expected in Google Chrome

The two stages of Chrome’s distrust, which serve as deadlines, are marked in RED to clearly show the difference between general information and actionable items.

October 24th, 2017
Chrome 62 will display a message in Developer Tools to help identify certificates which will be affected by distrust in Chrome 66. Visit your websites with the Developer Tools panel open – this will allow you to identify which websites will be affected by distrust in Chrome 66.

December 1st, 2017
A partnered Certificate Authority (CA) will begin issuing certificates for Symantec. As an end user, you may notice some small changes in the issuance process. From a technical standpoint, this date is significant because it marks beginning of the “new” Symantec certificates. Certificates issued after this date will be issued from different roots and will not be affected by Chrome’s dis-trust.

April 17, 2018
All Symantec certificates issued before June 1st, 2016, will no longer be trusted by Chrome.
Certificates issued after June 1st, 2016 are not affected at all in this release. Replace any Symantec certificates issued before June 1st 2016 by this date. This can be done by reissuing your certificate for free from your provider and installing the new certificate in place of the old one. If your certificate expires around this time (April-June) you may want to consider renewing it, instead of reissuing, to avoid two replacements within a short time frame.

Oct 28th, 2018
All certificates issued by Symantec with their existing infrastructure will no longer be trusted by Chrome.
Starting in the stable version of Chrome 62, a message will be added to the Developer Tools panel when a certificate that will be distrusted in Chrome 66 is encountered. Developers can use this functionality to ensure they identify certificates on their websites that will be affected.

Our Recommended Plan of Action

To reduce the amount of disruption and effort required, we recommend the following action:

If your certificate expires BEFORE December 2017

We recommend you renew (instead of reissue) your certificates prior to December. This will allow you to have a trusted certificate in place through the holiday season up until Oct 2018 when all certificate files from Symantec’s existing roots will have an issue and need to be replaced on your website. Alternately, switch over to certificates from a different Certifying Authority (CA) such as Comodo to avoid any issues.

If your certificate expires DURING December

Symantec hopes to have their partner CA issuing certificates on December 1st (a Friday). If you can wait to reissue and replace your certificates until after this occurs, you will most-likely never need to replace your certificate files on your website until their natural expiration date.

However, note that delays may occur which require Symantec to miss the December 1st estimate, and there may be an unusually high volume of issuance at that time which could cause technical issues.

If that is the case, if you are close to the expiration of your current certificate you may risk outages. ‘Holiday freezes’ may also prevent you from replacing certificates during this month.

If you do need to replace your certificate before Symantec’s partner CA is ready to issue certificates, you will need to replace the certificate files again before Chrome 70’s release (expected late Oct 2018).

Alternately, you can switch over to certificates from a different CA such as Comodo to avoid any issues.

If your certificate expires AFTER December 31st, 2017

We recommend you wait to replace any of your certificates until Symantec’s partner CA begins issuing certificates (expected December 1st, 2017). After this date you can begin reissuing and replacing certificates as needed. This way you need to replace your certificate files only one time.

Certificates issued by Symantec’s partner CA will not be affected by Chrome’s changes and will not need to be replaced until their natural expiration.

Special Case: If your certificate was issued BEFORE June 1st, 2016 and expires AFTER April 17th, 2018

You fall into a special case. Your certificate must be reissued and files replaced BEFORE the release of Chrome 66, which is expected April 17th, 2018 in order to remain trusted in Chrome.

However, you should wait until after December 1st 2017 to reissue your certificates. On this date, Symantec’s partner CA will begin issuing certificates. By waiting until this date you will only need to replace your certificate one time.

If you reissue before Symantec’s partner CA is available, your certificate will come from one of Symantec’s current root certificates and will need to be replaced against before October 2018.

UPDATE: Mozilla Firefox will follow more or less the same timelines as Google Chrome.

 

ca/b forum ballot 193 passed

Ballot 193 – 3 Year Certificate Validity To Be Phased Out

SSL Certificate HTTPS browser display

The CA/B Forum approved Ballot 193, which will see reduced SSL certificate lifetimes, as the maximum decreases from three years to two years. This is being done to address the security and logistic issues inherent with long-life certificates.

Given that Ballot 193 will impact how certificates are deployed and managed, we wanted to put together a quick summary of how this will impact those who use (or plan on using) 3-year SSL certificates.

The simple takeaway:

Effective March 1st, 2018 all new SSL certificates will be restricted to a maximum of 825 days (2 years + 3 months renewal buffer). This also affects existing DV (Domain Validation) certificates. Prior to this date, CAs are allowed to issue 3-year certificates. Note that some may choose to discontinue these practices early.

Shorter-term certificates (1-year) are not affected by either of these changes.

If you have already purchased any certificate with 3-year validity with an expiry date after 1st April 2018, avoid requesting a certificate reissue after Feb 2018. If you do so your certificate will be truncated to 825 days validity and you will lose the difference permanently.

To make all of this easier to understand, we have created some scenarios and a description of how these new changes will affect you. More than one of these may (or could) affect you, so please skim all the scenarios:

You want to use 3-year certificates for minimal updates to all your servers.

You can get a new 3-year certificate up until March 2018. This will allow you to have a 3-year certificate in production until 2021, but ONLY if you do not reissue your certificate after March 2018 when the new maximums take effect.

As mentioned above, there are sometimes security vulnerabilities or other industry changes out of your control which may require you to reissue a certificate. In some cases, such as the SHA-1 migration, you can choose not to reissue your certificate if you are okay with degraded treatment in web browsers.

Note that in the past, CAs have chosen to stop issuing products prior to the industry-mandated deadlines. This could mean that due to Ballot 193 some CAs may choose to stop issuing 3-year certificates before March 2018. Plan to check in later this year and do not wait till the last minute assuming a 3-year certificate will be available. If this happens we will contact our existing customers to let them know. If you use another provider/CA, check with them to know what their planned policy is.

You have an existing 3-year certificate (issued before March 2018) that needs to be reissued after March 2018.

From a technical perspective, reissuing a certificate is the same as issuing a new certificate. This means that after March 2018, ALL newly issued certificates (including reissues) must have a maximum validity of 825 days.

When you reissue your existing certificate after March 2018 it will be truncated to 825 days to meet the new requirements and you will permanently ‘lose’ the difference.

You have a DV certificate

Starting March 2018, DV certificates will now be limited to 825 days. Prior to this date, you can continue to get a 3-year certificate. However please note that some CAs may choose to stop issuing 3-year certificates before March 2018.

When you reissue a DV certificate it is already common practice to re-validate domain ownership. This is a simple practice, which can be performed in a few minutes by setting up a DNS record, uploading a file to your server via FTP, or confirming an email.

You have an EV certificate

EV certificates are not affected by either of these changes. Because they meet the highest standards for identity, EV certificates are already limited to stricter maximums for both requirements.

EV certificates have a maximum of 27 months and validity information can only be reused for a maximum of 13 months. There are currently no planned reductions to these periods, however as the CA/B Forum institutes more security-conscious requirements, EV certificates may be restricted to one year.

At this time, we are not aware of any changes to Symantec or Comodo’s product lines due to Ballot 193. However, they may choose to discontinue 3-year certificates ahead of the industry-mandated deadline, or impose other changes to deal with this shift. If and when this happens, we will notify all our customers and be in contact with those whose active certificates are effected.

Reference: https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/

 

COMODO most popular SSL certificate brand amongst top 1mn websites

COMODO most popular SSL brand and comes out a clear winner with a 28% website share. GeoTrust comes in a distant second with a 12% share. GoDaddy is third with 7%. Lets Encrypt comes 5th and powers 5% of these websites.

The top certificate authorities identified are as follows:

comodo most popular ssl certificate

Image courtesy Kenn White via Adam Caudill

700,275 out of the top 1 million websites responded with a SSL / TLS certificate on port 443. The scanner attempted to connect to the domain on port 443, and if that failed, then attempted to connect to the “www” subdomain. 

The scan was run with an eight second timeout. Any server that couldn’t complete a handshake within eight seconds wasn’t counted.

No certificate validation was performed. The scan didn’t attempt any other ports or subdomains.

thawte logo

Thawte SGC SuperCerts Discontinued

thawte logoEffective immediately, per the direction of Thawte, we have ceased all new orders of the Thawte SGC SuperCert.

Instead we’d recommend looking into the other comparable certificates listed below.

Thawte

Symantec

Server Gated Cryptography (SGC) SSL Certificates

These SSL certificates enabled older browsers to connect to websites using 128-bit encryption even if the normal browser encryption rate was 40-bit. At one time this seemed to provide a great advantage to many websites.

Today, SGC certificates are widely considered to be obsolete, as browsers requiring enhanced encryption capabilities are all but extinct, and many parties contend that facilitating the use of older, insecure browsers creates more security concerns than it remedies.

However, if you know you absolutely still need SGC, the below certificate from Comodo is available as an alternative.

Comodo

All of the above certificates listed are great alternatives to the Thawte SGC SuperCert. If you’re still uncertain about which certificate is right for you, please feel free to get in touch with us and our SSL experts will be glad to assist you in finding the right certificate.

Note: If you currently have an existing Thawte SGC SuperCert that has been issued, the certificate will continue to secure your website until the expiration date of the certificate.

*If you have qualified for a Thawte OV certificate in the past, like the SGC SuperCert, it’s likely that you can qualify for an EV certificate and get the green address bar as well. With the premium Symantec brand, you also get fantastic ROI potential with the trusted Norton Secure Seal.

For future purchases and renewals, we would recommend the Thawte SSL Webserver certificate as a comparable option.