Governance & Risk Management , Privacy

Don't Delay: Replace Symantec TLS/SSL Certs Now

Google Will Slowly Start Pulling the Rug From Under Symantec's Digital Certificates

A major operation to cleanse websites of dodgy digital certificates created under questionable circumstances has begun. Google has issued the orders: Purge digital certificates that were issued by Symantec before June 1, 2016.

See Also: 2021: A Cybersecurity Odyssey

The clean-out orders mark a step forward following a sharp spat between two major technology companies. Google, as well as other browser makers, including Mozilla, were concerned that Symantec's digital certificate business had lost quality control, resulting in dangers for those who browse the web.

Symantec has long been in the business of selling the digital certificates that secure an encrypted connection between someone's web browser and a service. Known as Transport Layer Security, or its older name, Secure Sockets Layer, the certificates are crucial for security, scrambling web traffic so it's unreadable to outsiders.

Suspicious Certificates

Google alleged Symantec had issued digital certificates without thoroughly verifying requesters. That's crucial, because holding a certificate for a website means an attacker could potentially decrypt web traffic, exposing sensitive data (see Google Outlines Plan to Reject Symantec's Digital Certificates).

Symantec had a robust TLS business. Through acquisitions of TLS businesses run by VeriSign, Thawte, Equifax and others, it held about 30 percent of the market.

Part of the reason Google became so involved in the debate is that it was one of the victims of lax TLS issuance. Google charged in September 2016 that it found Symantec's Thawte division issued extended validation pre-certificates for www.google.com and google.com, an egregious and potentially dangerous error.

There are several flavors of TLS certificates, with varying levels of verification that are supposed to be performed by the issuer. But extended validation certificates - often the most expensive kind to purchase - are supposed to have the highest level of assurance that the requester has been vetted.

The dispute spilled out in public. Symantec asserted in March that Google's public statements were "unexpected" and "irresponsible." It also disputed Google's contention that it had found 30,000 certificates that had been improperly issued, instead saying it had found only 127 suspect ones.

Nonetheless, Symantec bailed on its SSL business. It announced last month that it would sell its website security and PKI business to DigiCert for $950 million plus 30 percent in common stock equity. DigiCert appeared enthusiastic about the challenge, saying: "We feel confident that this agreement will satisfy the needs of the browser community."

What You Need To Do

On Monday, Google outlined in a blog post the timelines for when website operators need to replace their certificates. If the certificates are not replaced, Google's Chrome browser will warn of an invalid certificate in place and that the site should not be trusted.

DigiCert's infrastructure will begin handling the issuing of new certificates on Dec. 1. "Certificates issued from the old Symantec infrastructure after this date will not be trusted in Chrome," according to a post in Google's developer forum.

The race will be on to replace those certificates issued by Symantec before June 1, 2016, in advance of the release of Chrome 66. That version of the browser will be released in beta on March 15, 2018, and to stable users around April 17, 2018, Google says.

"The distrust of these certificates is necessary and is specifically targeted at removing the risk of trusting old certificates that were issued under an inadequately controlled infrastructure," according to the forum post.

Google and Mozilla hoped to begin distrusting the certificates by the end of this year. But the timeline was moved due to the size of Symantec's TLS business and the need to give operators enough time to make the changes.

Site operators will need to obtain new certificates that come from a trusted Certificate Authority, which are supposed to abide by the security guidelines of the CA/Browser Forum.

Google says its Chrome 70, due to come out on Oct. 23, 2018, will fully "remove trust in Symantec's old infrastructure and all of the certificates it has issued. This will affect any certificate chaining to Symantec roots, except for the small number issued by the independently-operated and audited subordinate CAs previously disclosed to Google."