Google finalises plans to distrust Symantec certificates

12 Sep 2017

Symantec HQ, Mountain View, California. Image: Ken Wolter/Shutterstock

Fair warning to webmasters from Google as it plans to distrust Symantec-issued security certificates from the release of Chrome 66 in 2018.

Google has been finalising formal plans to reduce and ultimately remove trust in Symantec’s infrastructure for several months, in order to uphold user privacy and security when browsing the web.

The details of the plans were originally discussed on Google’s blink-dev forum, and should allow for “reasonable time for a transition to new, independently operated managed partner infrastructure while Symantec modernises and redesigns its infrastructure to adhere to industry standards”.

The official steps to be taken to distrust Symantec certificates were posted on the official Google security blog on 11 September.

Longstanding issues

The issues with Symantec have been bubbling away for quite a while now. A public posting in January 2017 on a forum for security professionals drew attention to a series of “questionable” web authentication certificates issued by Symantec’s public key infrastructure (PKI).

Symantec’s PKI business operates several certificate authorities (CAs) under different names, including Verisign and GeoTrust.

Numerous certificates that were not compliant with the industry-standard C/A Browser Forum Baseline Requirements had been issued by the various CAs. It is imperative that a CA is tightly regulated, as these digital certificates denote whether or not a web user is visiting a legitimate website.

Lack of oversight

Following an investigation, it emerged that Symantec had entrusted a handful of organisations with the ability to issue certificates without proper oversight, and the company had been aware of gaps in security at these organisations for a notable period of time.

According to Google, this certification issue is just one element of a series of problems over the last number of years. This pattern of issues caused the team behind Google Chrome to lose confidence in Symantec’s infrastructure, and any certificates that have been or will be issued from it.

Symantec announced back in August it had selected DigiCert to run an independently operated managed partner infrastructure, and also said it would be selling its PKI business to DigiCert rather than building a new infrastructure from scratch. Issuance and operation of certificates should be transferred from Symantec’s infrastructure to DigiCert’s by 1 December 2017.

Timeline for banning Symantec certificates

Chrome will begin removing trust in the certificates issued before 1 June 2016 on 15 March 2018, the release date for Chrome 66 beta users. If you or your company operates a site issued with a certificate that predates 1 June 2016, your existing certificate will need to be replaced with one from a Google-endorsed certificate authority before the release of Chrome 66.

By 23 October 2018, Chrome 70 will be released and with that, the full removal of trust in Symantec’s old infrastructure will be complete.

If you are a site operator that requires a certificate from Symantec’s existing root, you have until 1 December 2017 to get one. It’s worth bearing in mind that this, too, will need to be replaced by the Chrome 70 era, buying you just a few months.

Symantec HQ, Mountain View, California. Image: Ken Wolter/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects