Is your website still using a certificate from Symantec?

16 Aug 2018

Symantec world headquarters in California. Image: Ken Wolter/Shutterstock

Google announced its plans to distrust Symantec certificates a long time ago, but some websites are still using them. This could cause massive problems if left unresolved.

The Google and Symantec saga is a long-running one. In September 2017, the internet giant began finalising its plans to distrust Symantec-issued SSL and TLS certificates.

The problems involved some questionable web authentication certificates issued by Symantec’s public key infrastructure (PKI). Many certificates were not compliant with industry standards issued by certificate authorities and Google mentioned other issues such as lack of oversight.

Symantec sold its PKI business to DigiCert, which was tasked with tackling the problem.

As Google set a deadline of October 2018 (the release of Chrome 70) for full removal of trust for Symantec certificates, you would imagine all sites would be on their way to replacing the old ones.

Some stragglers remain

This is not the case, according to Michael Fowler, president of partners and channels for certificate authority Comodo CA. He spoke to about how this is a real issue that could impact businesses globally.

Research from Mozilla published at the end of July showed that 3.5pc of the top 1m websites in the world were still using Symantec certificates. Rather than leading to the correct website allowing the user to see it is legitimate, these certificates will display error messages.

Firefox security expert Wayne Thayer said: “We strongly encourage website operators to replace any remaining Symantec TLS certificates immediately to avoid impacting their users as these certificates become distrusted in Firefox Nightly and Beta over the next few months.”

In May 2018, Comodo CA found that the issue was global. “Of the 1m websites still at risk, roughly 25pc were based in Germany, 15pc in the United States, 13pc in the UK, 5pc in China, 6pc in Japan, with several other countries at 5pc and below.”

Many users dealing with error messages

Now that Google Chrome 70’s Canary version is live, users of this nightly build of Chrome for developers are already being confronted with error messages from sites still using the distrusted certificates, Fowler warned. “The countdown has already begun, which means website owners or anybody that is in fact using these certificates will see errors.

“These errors could have consequences depending on the sort of devices using these certificates.” Fowler mentioned that if sites such as the New York Stock Exchange were still using the distrusted certificates, this could create major havoc for markets. On the smaller end, e-commerce websites will suffer lost sales. For larger enterprises, leaving these certificates intact “is a huge risk”.

Fowler said a health check of your certificates is imperative, particularly as larger companies often have a lack of communication channels. This makes it tough to figure out “which certificates in their environment are in fact at risk”. Migration and replacement are the next logical steps.

He likened the rush to fix the issue at the last minute to the recent implementation of GDPR. “It’s human nature.”

The impact of the issue is wide-ranging and should be a priority for those in charge of an enterprise website.

Symantec world headquarters in California. Image: Ken Wolter/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects