Symantec Certificate Distrust

On January 19, 2017, a public posting to the mozilla.dev.security.policy newsgroup drew attention to a series of questionable website authentication certificates issued by Symantec Corporation’s PKI. Symantec’s PKI business, which operates a series of Certificate Authorities under various brand names, including Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL, had issued numerous certificates that did not comply with the industry-developed CA/Browser Forum Baseline Requirements.

Source: security.googleblog.com

In short, certificates supplied by Symantec and Symantec-owned certificate authorities (CA) will be distrusted in two stages. After the deadline for each stage has passed, the affected certificates will no longer be displayed as secure and visitors may be seeing warnings.

Deadlines

Stage 1
The first batch of certificates will receive the axe on March 15 2018. This applies to all Symantec-issued certificates that were issued before June 1 2016.

Stage 2
The second batch of certificates will be distrusted on september 13 2018. This applies to all Symantec-issued certificates that were issued before December 1 2017.

Any certificates issued after December 1 2017 have been issued using Symantec’s new infrastructure, and require no action.

How to detect affected certificates?

StatusCake SSL monitoring will inform you with a visual warning when your SSL certificate is affected, this happens in 2 stages.

  • Before the deadline: Affected certificates will be marked with an exclamation mark next to their scores. They remain valid for the time being.
  • After the deadline: The certificate’s status will be marked as distrusted in a yellow colour.

What to do when my certificate is marked as affected?
You are adviced to renew your certificate with your certificate authority. Please contact your systems department to do this. StatusCake can not renew these certificates for you.

Affected Systems and browsers

For the time being, only browsers are affected. It’s not yet known if operating systems will distrust these certificates.

Google Chrome

  • March 15, 2018: Chrome 66 will be released to the Beta channel. Beta users will receive warnings for the first stage of certificates.
  • April 17, 2018: Chrome 66 is released to Stable. All Chrome users will see these warnings.
  • September 13, 2018: Chrome 70 is released to Beta. All beta users will see warnings for the second stage of certificates.
  • October 23, 2018: Chrome 70 is released to Stable. All Chrome users will see these warnings.

Source: security.googleblog.com

Mozilla Firefox

  • March 13, 2018: Firefox 60 will be released to the Beta channel. Beta users will receive warnings for the first stage of certificates.
  • May 2018: Firefox 60 will be released to the Stable channel. All Firefox users will now receive those warnings.
  • October 2018: Firefox 63 will be released to the Stable channel. All Firefox users will now receive warnings for the second stage.

Source: blog.mozilla.com

Note: Information is correct at the time of publishing and may change in the future. Please check the linked source articles for up-to-date information.

Related Articles