Google sets untrust schedule for Chrome over Symantec certificates

Google has finalized a schedule that, over the next 12 months, will send companies scrambling to replace the digital certificates that secure their websites or risk being viewed with suspicion by users running Chrome, the world’s most popular browser.

“Companies are staring down the barrel of a boat load of work,” said David Anthony Mahdi, a research director at Gartner, and the industry research firm’s resident expert on digital certificates and the CAs (certificate authorities) that issue them. “This is massive.”

Beginning with Chrome 66, currently set to show up the third week of April next year, Google will “remove trust in Symantec-issued certificates issued prior to June 1, 2016,” wrote three members of the browser’s security team, in a post to a company blog. “If you are a site operator with a certificate issued by a Symantec CA prior to June 1, 2016, then prior to the release of Chrome 66, you will need to replace the existing certificate with a new certificate from any Certificate Authority trusted by Chrome.”

A follow-up version of Chrome, slated for debut a little more than a year from now, will untrust every Symantec certificate, no matter when it was issued. When Google removes trust from the certificates, users will begin seeing messages, some explicit, others subtler, informing them that the connection between them and the website is insecure.

Google Chrome will stop trusting older Symantec certificates

Broken trust

Chrome will stop trusting any security certificates issued by Symantec, Google has confirmed.

In a blog post, Chrome Security’s Devon O’Brien, Ryan Sleevi and Andrew Whalley say that certificates from the security firm will be “distrusted,” starting with version Chrome 66. This affects all certificates issued before June 1, 2016.

At the same time, Symantec is working with webmasters to switch to Digi Cert certificates, after the company bought the firm’s failing web security business.

Chrome 66 is expected to arrive in June next year, so the final shutdown should expected with Chrome 70 next October. This will, as Google puts it, “fully remove trust in Symantec’s old infrastructure and all of the certificates it has issued.”

For the uninitiated, Google decided to remove Symantec certificates after it had found a couple of certificates in 2015 which didn’t adhere to industry standards. An in-depth investigation has confirmed that Symantec had actually outsourced the job to other companies and failed to oversee it properly.

Webmasters that want to keep old Symantec certificates should be aware that there is a 13-month limit.

According to The Inquirer, Symantec’s CEO Greg Clark said their customers will have a world-class experience moving forward.

“We carefully examined our options to ensure our customers would have a world-class experience with a company that offers a modern website PKI platform and is poised to lead the next generation of website security innovation,” he said.

“I’m thrilled that our customers will benefit from a seamless transition to DigiCert, a company that is solely focused on delivering leading identity and encryption solutions.”

Published under license from ITProPortal.com, a Future plc Publication. All rights reserved.

Image Credit: Lane V Erickson / Shutterstock

Plan to distrust Symantec website certificates released, which is no longer its concern

Dive Brief:

  • Google’s Chrome team this week released its formal plan to distrust Symantec’s website security and certificate products, the company said. Over the past several years, the Chrome team had lost confidence in Symantec’s infrastructure because of a pattern of concerns around how the company issued security certificates. 
  • In investigations which began earlier this year, the Chrome team found numerous Symantec-issued certificates did not comply with baseline industry-developed standards. The security company had tapped several organizations to issue certificates but they lacked oversight, which resulted in “security deficiencies,” according to Google.
  • Beginning with Chrome 66, which will debut to Chrome Beta users in March 2018, Chrome will remove trust for Symantec certificates issued prior to June 1, 2016, according to the plan. By December 1, once Symantec transitions its certificate business over to DigiCert infrastructure, certificates issued from older Symantec infrastructure will not be trusted. Symantec could not be reached for comment prior to publication. 

Dive Insight:

Google officially downgraded trust in Symantec certificates in March, which the security company called “exaggerated and misleading.” The move negatively impacted the security firm’s reputation during a time when it was trying to regain traction in the market. Large, legacy security firms have had to navigate a changing security landscape, while competing against emerging vendors that can target the market in more agile ways.  

But the website certificate business is no longer Symantec’s concern. In August, the company reached an agreement with DigiCert to sell its website security and PKI solutions business for $950 million.

So while Google has a formal plan in place, which would permit the security firm ample time to modernize its infrastructure and meet industry standards, web certificates are no longer Symantec’s concern. Instead, DigiCert’s new “managed partner infrastructure” will be able to issue trusted certificates, according to the announcement. 

Companies are placing more emphasis on end-to-end, ensuring everything from websites to back-end infrastructure is locked down. When an organization like Google downgrades trust in an organization’s product, it is sure to cause ripple effects across product lines and impact a firm’s reputation long term. 

Google has pushed for more companies to move toward HTTPS protocol, displaying an icon in Chrome when a site cannot be trusted. HTTP can leave websites vulnerable to eavesdropping and content manipulation, vulnerabilities eliminated with the transition over to the more secure HTTPS.

As of March, more than half of all websites support HTTPS, but leading vendors are pushing for more websites to make the transition. To do that, customers have to ensure security certificates issued by vendors are trushworthy. 

Top image credit:

Dollar Photo Club

Chrome 70 Symantec Certificates Update Leaks

Google has planned on killing off Symantec certificates for Chrome 66. It was a decision based on a lot of issues caused over time, for example unreliable certificates such as example.com or test.com ran off tracks. Symantec issued certificates to different organizations with little oversight or appropriate investigation.

Site Operators Must Replace their Symantec Certificates

The certificates will no longer exist in March 2018 and until then Google has added some of their plans between this year and the due date. The certificates prior to June 1, 2016 will no longer be active in Chrome 66. Site operators who have Symantec certificates must replace their certificate with others that are trusted by Chrome.

After March-April 2018, Chrome will start to send warnings to those who haven’t got trusted certificates.

Symantec Handles their Infrastructure to DigiCert

On the other side, Symantec is giving their infrastructure to DigiCert and will be up and running until December, 2017. In order for DigiCert to be in accords with Google’s ultimatum they will have to oversee certificate sales by running PKI infrastructure and Managed Partner Infrastructure.

Until the ultimatum Google has added that the old Symantec infrastructure will be in a list of all untrusted certificates, a list which will be contained in a future update for Chrome.

If You Get Certificates from Symantec Until December You’ll have to Get New Ones Because of the Chrome 70 Update

Site owners will have to undergo several steps in order to get other certificates. In Chrome 70 all certificates that are related or have roots to Symantec will be killed off. The site owners who need certificates from the old Symantec infrastructure will have to get another set of certificate replacements because of the updated Chrome 70.

Note that this change will not affect site owners who don’t use Symantec portfolio certificates or everyday users who just browse the internet.

Google: timeline for distrusting all Symantec Certificates in Chrome

Google published a timeline recently on the Google Security blog which highlights the timeline for dropping support for Symantec-issued certificates in Chrome.

The company plans to drop full support in Chrome 70, but will distrust certificates that were issued before June 1, 2016 as early as March 15, 2018 (Chrome 66).

The core of the issue surrounding Symantec certificates — the business operates under brand names such as VeriSign, Thawte, Equifac, RapidSSL or GeoTrust — is that Symantec “entrusted several organizations with the ability to issue certificates without the appropriate or necessary oversight” according to Google.

symantec certificate google chrome firefox

Symantec was aware of these security deficiencies, and incidents in the past showed just how bad it was. In 2015 for instance, certificates were created covering five organizations including Google and Opera without the knowledge of the organizations involved.

Symantec came to an agreement with DigiCert under which DigiCert will acquire Symantec’s website security and PKI solutions business.

Google plans to remove trust from all Symantec-issued certificates in Chrome in the coming year. The company published a timeline that highlights the most important dates of the process.

  • October 24, 2017 — Chrome 62 Stable — Chrome highlights if a certificate of a site will be distrusted when Chrome 66 gets released.
  • December 1, 2017 — DigiCert’s new infrastructure will be “capable of full issuance”. Certificates issued by Symantec’s old infrastructure from this point forward will cease working in future updates. This won’t affect certificates issued by DigiCert.
  • March 15, 2018 — Chrome 66 Beta — Any Symantec issued certificate before June 1, 2016 is distrusted. Sites won’t load but throw a certificate alert instead.
  • September 13, 2018 — Chrome 70 Beta — Trust in Symantec’s old infrastructure is dropped entirely in Google Chrome. This won’t affect DigiCert issued certificates, but will block any site that uses old certificates.

Chrome users cannot really do anything about this, as website operators need to switch to a certificate that is still trusted by Google as early as March 14, 2018. The only option that users of the browser have is to let website operators know about certificate issues should they not be aware of this.

Mozilla will match the dates proposed by Google earlier according to a post by Gervase Markham on the Mozilla Dev Security Policy group.

Webmasters who run sites with Symantec certificates need to add new certificates to their web properties before the deadline to ensure continued access to those properties. One option that webmasters have is to use Lets Encrypt which offers free and automated certificates.

Summary

Article Name

Google: timeline for distrusting all Symantec Certificates in Chrome

Description

Google published a timeline recently on the Google Security blog which highlights the timeline for dropping support for Symantec-issued certificates in Chrome.

Author

Martin Brinkmann

Publisher

Ghacks Technology News

Logo

About Martin Brinkmann

Martin Brinkmann is a journalist from Germany who founded Ghacks Technology News Back in 2005. He is passionate about all things tech and knows the Internet and computers like the back of his hand.You can follow Martin on Facebook, Twitter or Google+

Google reveals formal plan to distrust Symantec certificates in 2018

hackingx1filephoto.png

File Photo

Google has revealed formal plans to distrust Symantec security certificates from the release of Chrome 66 in 2018.

On Monday, the tech giant’s finalized plans were posted on the official Google Security blog, which states that starting with Chrome 66, no Symantec-issued security certificate issued prior to 1 June 2016, will be accepted as valid and trustworthy.

By 1 December this year, Symantec will switch the issuance of certificates to DigiCert infrastructure, and so anything issued based on the old infrastructure after the same date will also not be trusted by Chrome.

The latest version of the Chrome web browser is 61.0.3163, but version 66 is scheduled for release to Chrome Beta users on 15 March 2018 and to standard Chrome users around 17 April 2018.

Google first made its intentions known in July, but webmasters have now been given a formal warning of the changes afoot.

The original announcement led to a serious debate on the blink-dev forum, and according to Google, granted time to Symantec to “modernize and redesign its infrastructure to adhere to industry standards.”

In 2015, a Symantec root certificate was discovered that did not comply with modern security standards, leading to Google revoking trust for the certificate. In January this year, the security firm issued test and example certificates by accident through a partner, leading to an inquiry.

Certificate Authorities (CAs) and the security certificates they issue are meant to guarantee a basic level of security, but if a CA is mistrusted, these certificates can place the end user at risk when attempting to connect to a web domain.

The refined timeline, therefore, is useful for site operators. Webmasters using a certificate issued by a Symantec CA prior to 1 June 2016 will need to replace their existing certificate before the deadline.

Around the week of 23 October, 2018 Chrome 70 is due for release, which will “fully remove trust in Symantec’s old infrastructure and all of the certificates it has issued,” according to Google.

“This will affect any certificate chaining to Symantec roots, except for the small number issued by the independently-operated and audited subordinate CAs previously disclosed to Google,” the company says.

It is still possible for webmasters to gain certificates from Symantec’s existing CA infrastructure, but they will need to be replaced prior to Chrome 70 — and they will have validity restricted to 13 months.

Google has provided a detailed timeline of the changes, which can be viewed here.

Now that DigiCert has taken over Symantec’s CA business, we can hope that new certificates will all meet modern security standards and these kinds of failures will not occur in the future.

In July, Symantec acquired mobile security firm Skycure, an Israeli company which provides a predictive threat detection platform for mobile devices.

Previous and related coverage

Google Details Plan To Distrust Symantec Certificates

After a series of incidents involving Symantec and its wrongfully issued certificates, Google eventually decided to distrust Symantec’s certificates in March. The company is now releasing a more detailed plan for how that process will go.

The plan was first discussed on the Blink (Chrome’s rendering engine) development mailing list with the community, and it started taking shape by the end of July of this year.

Why Symantec’s Certificates Will Be Distrusted

On January 19, after the incidents between Symantec and Google, a public posting to the mozilla.dev.security.policy newsgroup drew attention to some questionable website certificates issued by Symantec that did not comply with the CA/Browser Forum Baseline Requirements. Symantec’s Corporate Public Key Infrastructure (PKI) operates a series of certificate authorities under the brand names Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL.

In the follow-up investigation, it was revealed that Symantec had entrusted several organizations with the ability to issue certificates without the appropriate or necessary oversight. Google also claimed that Symantec had been aware of the security deficiencies of these organizations for some time, but took little or no action to fix them.

This was just one more of the several incidents that made the Chrome engineers lose trust in Symantec’s certificate infrastructure and all the certificates that could be issued by it. After Google announced its plan to distrust Symantec’s certificates, Symantec decided to sell its certificate business to DigiCert, a competitor, which would also have to rebuild the Symantec infrastructure to be more trustworthy.

Timeline For Banning Symantec Certificates

Starting with Chrome 66 (we’re now at version 61), the browser will remove trust in Symantec-issued certificates issued prior to June 1, 2016. Website operators that use Symantec certificates issued before that date should be looking to replace their certificates by April 2018, when Chrome 66 is expected to come out.

Starting with Chrome 62 (next version), the built-in DevTools will also warn operators of Symantec certificates that will be distrusted in Chrome 66.

After December 1, the new infrastructure managed by DigiCert will go into effect, and any new certificates issued by the old Symantec infrastructure will no longer be valid in Chrome.

By November 2018, Chrome 70 will come out and will completely remove trust in all Symantec certificates that have ever been issued.

Website operators can replace their old Symantec certificates with certificates from DigiCert from December 1 or from any other CA trusted by Google’s Chrome browser.

Symantec Certificates Are Not Being Dis-Trusted on August 8th.

Don’t worry, your certificates are not days away from being invalid.

If you have been following the Symantec/Google (and Mozilla) saga you likely know two things: it has been very confusing, and if you use Symantec certificates (or any of its other brands – RapidSSL, Thawte, or GeoTrust) you are going to need to replace your certificates at some point.

Google announced its final plan last week – which will affect existing certificates starting April 2018. However, we have seen that some users are still confused if this is accurate. This post is here to set the record straight.

Google’s previous and now outdated proposal would have had a large number of Symantec certificates becoming invalid on August 8th, 2017 – as in, a few days from now. This is no longer applicable – it’s not happening.

Instead, Google opted to push back any action involving existing certificates until April 2018 (in the “Stable” version of Chrome – which most end users use. See our note below on pre-release versions). To learn about Google’s final proposal, which you should be planning your changes around, please read this dedicated post.

Some have been concerned that the lack of an official post on Google’s Security Blog means it is unclear what plan is being put into action.

We understand the value of a Professional & Official Post – especially when you are about to convince your organization that they don’t need to worry about certificate errors in 4 days.

But since that does not exist, we are hoping this post can be the next best thing. We are going to provide citations and everything to give you (and your coworkers) all the reassurance needed to enjoy your weekends.

  1. First, let’s look the proposal posted on July 27th. Darin Fisher, VP of Chrome Engineering, wrote:

    “Representing Google Chrome and the Chromium open source project, what follows is our final proposal on this matter….Chrome 66 will distrust Symantec-issued TLS certificates issued before June 1, 2016, which is tentatively scheduled [to release] on April 17, 2018.”

    This was the post that superseded previous plans and is Google’s final and current dates for removing trust for existing certificates.

    We will say it again: it starts April 2018.We will again plug our summary of Chrome’s final plan of action – read this if you want to see all the relevant dates and changes.

  2. A second post from a Googler, this one by Devon O’Brien, who works on Chrome’s Security team (see their by-line on this official blog post), reaffirms that the older plan is outdated:

    “The previously-stated August 2017 dates are no longer applicable.”

  3. Finally, Peter Bowen, who runs Amazon’s Certificate Authority and is an expert on how browser trust works, explained (in two different posts) that at this point it would be technically impossible for Symantec certificates to be affected on August 8th because no code has been added to Chrome to do that:

    “As of this morning [August 3rd], there is zero code landed in Chromium to implement any of the changes here, so August 8 is very much not happening”

 

Hopefully, this can set the record straight and clear up any confusion people may have had. It’s April 2018, not August 2017. Capisce?

A Note On “Beta” and “Canary”

Google distributes four versions of Chrome: “Stable,” “Beta,” “Dev,” and “Canary.” It refers to these as its ‘channels.’

The Stable channel is the version for the general public. This is the fully-tested, ‘standard’ version that is on hundreds of millions of computers.

The other three versions are all pre-release versions that allow you to test upcoming versions of Chrome before they are finalized. That does not mean these are some sort of unstable, crazy-looking alternatives. For the most part, the other three Chrome channels look and feel the same and are fairly usable.

Each channel is ‘rougher’ than the last – meaning it has been tested less and has more bugs. Each Chrome version passes through the channels – starting at Canary, usually months in advance – and makes its way to Stable when it is ready for prime time.

The majority of your website’s customers and visitors will be using Stable, however, some small percentage will be on one of the other channels and will see Symantec certificates become untrusted earlier.

So, if you can, you should try to replace affected certificates early in order to avoid inconveniencing this small portion of users.

Here is an approximate breakdown of when Chrome versions 66 and 70, the two versions which will have changes for Symantec certificates, release for each channel. The exact dates may change slightly due to delays or distribution:

Stable Beta Canary
Chrome 66

 

Certificates Affected:

 

Any Symantec certificates issued before June 1st, 2016

April 17, 2018 March 15, 2018 Jan 19, 2018
Chrome 70

 

Certificates Affected:

 

ALL Symantec certificates issued from their current roots (which will be everything issued before December 1st, 2017).

Oct 23, 2018 Sept 13, 2018 July 31, 2018

(These dates are calculated from Darin Fisher’s post and from this Chromium page. The Dev channel is not included because it does not have a strict release schedule.)

Mozilla To Match Google’s Plan for Symantec Certificates

The Two Major Browsers Will Support The Same Timeline For Consistency

Last week Symantec and Google brought their long-deliberated negotiations to a close and announced a public decision for handling certificates from Symantec’s current infrastructure.

This was a major announcement for the internet community, which had been eagerly awaiting a decision since discussions started in March.

However, there are four major root programs, operated by Google, Mozilla, Microsoft, and Apple, whose products account for the majority of end-user devices and software. Each root program makes independent decisions on how it will react to violations by Certificate Authorities.

Now Mozilla, who manages the root program for Firefox and NSS (a set of open source crypto libraries), has announced that it will mirror most of Google’s decision.

The broad results of that plan are:

  • Symantec’s existing root certificates will be retired. New roots will be submitted to root programs.
  • Symantec will continue issuing certificates via a partnered Certificate Authority as it goes through the process of having its new roots audited and distributed.
  • Symantec certificates issued before June 1st, 2016 (when they started Certificate Transparency logging) will need to be replaced by reissuing the certificates (for free) or they can be renewed early.
  • In October 2018 all Symantec certificates issued from their current roots will be need to be replaced.

For complete details on how Symantec certificates will be affected, and how to replace your certificates to avoid any issues, please read our dedicated post.

Gervase Markham, who works on Mozilla’s root program, stated: “we have decided to match the dates proposed by Google for Chrome (within a few weeks; exact Firefox releases will be determined nearer the time).”

Because Firefox and Chrome’s release schedules do not match up exactly, Mozilla may implement its changes a few weeks before or after Chrome. Browser releases are only estimated and a guaranteed date is not published this far in advance. Organizations are encouraged to make any necessary changes in advance in case Firefox’s implementation is a few weeks early.

What About Apple and Microsoft?

Apple and Microsoft also manage their own platform’s root certificate stores. As per usual, neither company has publicly commented on what, if anything, they will do in regards to Symantec.

Unlike Google and Mozilla, who operate their root programs with a great degree of transparency, Apple and Microsoft do not host any public discussions or welcome comments. Those two are the remaining major root programs that have yet to take action against Symantec.

But don’t worry.

It’s normal for their decisions to come last. Usually, they match their more eager colleagues or go with less severe changes.

For organizations and websites affected by these changes to Symantec trust, it is safe to start planning around Google’s announced plan. Unless they break precedent, Apple and Microsoft’s plans should not conflict with Google and Mozilla.

Symantec to Sell Web Certificates Business to Thoma Bravo

Cyber security company Symantec has agreed to sell its business that helps verify the identity of websites to buyout firm Thoma Bravo, people familiar with the matter said on Wednesday, a move that extricates it from a feud with Alphabet’s Google.

Thoma Bravo is planning to merge its own Web certification company called DigiCert with the Symantec unit it will acquire, the sources said, asking not to be identified ahead of an official announcement expected later on Wednesday.

Symantec stands to receive close to $1 billion in an upfront cash payment as a result of the deal, and will retain a minority stake in the new company that is merged with DigiCert, the sources added.

Thoma Bravo and Symantec declined to comment. DigiCert did not immediately return a request for comment.

The Symantec unit has become a point of contention with Google’s Chrome and other Web browser owners, which have criticized the way Symantec validates its Web certificates. Symantec and DigiCert both issue these Web certificates which help verify the identity of websites so that they can be trusted by those browsing the Internet.

Google demanded major changes to the division’s underlying technology and business practices in order for its browser, Chrome, to continue respecting Symantec certificates, and the two sides have been negotiating since then.

Google did not respond to a request for comment on Wednesday.

Symantec acquired most of its Web certification business in 2010, when it paid $1.28 billion to buy Verisign’s security business. Thoma Bravo bought a majority stake in DigiCert in 2015 for an undisclosed sum.

The sale comes more than a year after Symantec parted with its data storage business Veritas in a $7.4 billion deal with private equity firm Carlyle Group.

Under CEO Greg Clark, Mountain View, California-based Symantec has been one of the few cyber security companies to pursue large deals.

Get Data Sheet, Fortune’s technology newsletter.

Symantec completed its $2.3 billion acquisition of LifeLock in February, a move that bolstered its consumer security business. That followed the purchase of Blue Coat for $4.65 billion last year, which expanded its product line for large corporations.