Google is following through with its plan to remove trust in transport layer security (TLS) certificates from Symantec-operated certificate authorities.
Google’s Chrome security team has posted a reminder to site operators that it will be removing trust in Symantec’s digital certificates in the near future and advice for Symantec customers with certificates that chain to Symantec's root certificates should take action.
Given Chrome has more than a billion users, it will be important that operators of HTTPS sites are using certificates trusted by Chrome.
Beginning with Chrome 66, which is scheduled for stable release around April 17, 2018, Chrome will prevent users from visiting HTTPS sites that rely on certificates issued by any of Symantec’s certificate authorities prior to June 1, 2016.
In Chrome 70, which hits stable in October next year, Google will remove trust for all certificates issued by Symantec, including ones issued after June 1.
Google is advising site operators that use applicable Symantec certificates to replace them with one from a CA trusted by Chrome.
In March, Google announced a proposal to drastically reduce trust in Symantec- issued certificates after its Chrome team found 30,000 dubious certificates issued by Symantec CAs over several years. Symantec said it was only 127 certificates, but Google was already wary of Symantec’s certificate handling processes after a separate incident in 2015 that resulted in Symantec firing several employees.
Symantec and the CA brands it operates, including VeriSign, Thawte, GeoTrust, RapidSSL, and Equifax, have issued about a third of the world’s SSL certificates currently in use. The certificates are used for encrypting communications on the internet between users and HTTPS-enabled site, as well as validating a site's authenticity. Symantec also provided Extended Validation (EV) certificates to site owners, which Google had proposed distrusting for a period of a year. EV certificates are meant to go through a more rigorous process by a CA in order to convey a HTTPS site's authenticity in the browser.
Google posted its current and final proposal for distrusting Symantec certificates in July, a few days ahead of Symantec announcing it would sell its certificate business to a much smaller CA, DigiCert, for $950m. The sale is expected to complete in the third quarter of 2018.
Symantec at the time also proposed DigiCert run an independently-operated Managed Partner Infrastructure to issue Symantec certificates that chain to DigiCert, during which time Symantec will modernize its CA infrastructure. Google accepted Symantec’s proposal that the managed CA, DigiCert, will be capable of full certificate issuance by December 1. From that date on, Chrome will require all Symantec-chaining certificates be issued by a CA other than Symantec.
Google’s new reminds site operators what they should do prior to Chrome 70, which will remove trust for certificates issued by Symantec CAs prior to June 1, 2016. The cap on EV certificates based on validation information created by Symantec still stands, though now stands at 13 months unless the managed CA independently revalidates the customer's data.
Beginning December 1, sites owners can obtain certificates from DigiCert’s managed infrastructure or another CA. Any certificates from this date issued by Symantec’s old infrastructure will stop working in Chrome 70, which is scheduled for stable release on October 23, 2018.
Additionally, site operators with Symantec certificates issued after June 1, 2016 will need to replace them before Chrome 70, though these certificates won’t be affected in Chrome 66.