Apple to Distrust Non-CT logged SSL/TLS Certificates July 20
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Apple to Distrust Non-CT logged SSL/TLS Certificates July 20

The announcement is an addition to Apple’s Symantec CA distrust plan

Apple has clarified its Symantec CA distrust plan, which has an upcoming July 20 deadline. Any Symantec CA SSL certificates issued between June 1, 2016 and December 1, 2017 will be distrusted if they were not published to a Certificate Transparency log.

This is for Symantec CA certificates only, for the rest of the SSL/TLS ecosystem the CT deadline for Apple is still October 15. It’s worth nothing that the requirement will affect SSL/TLS use cases beyond just web content in a browser; affected applications will include:

  • macOS High Sierra
  • macOS apps
  • iOS 11
  • iOS apps
  • Safari browser

This is unlikely to have a major impact as the distrust will mostly affect certificates that have already been penalized by Google’s Chrome browser and Mozilla Firefox. Additionally, Symantec, following its previous dust-ups with Google, was already under a requirement to log the certificates it was issuing, anyway.

Still, site owners will want to double-check on their Symantec CA SSL certificates lest they be distrusted by one of the big four web browsers.

How can I tell if my SSL certificate has been CT logged?

Let’s start with this, Certificate Transparency is an industry thing, end users don’t have to do anything to log their own certificates. The CAs have to do that. There are a couple of ways that you can check and see whether an SSL certificate you were issued has been logged, though. The first involves checking the certificate details in your browser.

  1. Navigate to your website
  2. Click on the padlock icon in the address bar of your browser
  3. Find where you can view the certificate or the certificate details
  4. Look for the string: ‘1.3.6.1.4.1.11129.2.4.2

If you find it, that means your certificate is logged. That OID is the same for all CT-logged certificates. Now, the browsers display this information a bit differently. For instance, Safari displays it as such:

Safari Certificate Transparency

Firefox refers to it as the Object Identifier.

Firefox Certificate Transparency

And Google makes you go through its menu, select Developer Tools from the “More Tools” section, and then navigate to security, where you can view the certificate details by clicking the “Main Origin.”

Google Chrome Certificate Transparency

If you’re using Microsoft Edge or just don’t feel like clicking around in your browser there’s one other way to check, too. You can also use Symantec’s CryptoReport:

 

  1. Go to the Symantec CryptoReport.
  2. Enter your URL.
  3. Check for:  “Certificate Transparency: Embedded in certificate”

If that line is present, congratulations! You’re good to go.

If it’s not, and you are using a Symantec CA brand SSL certificate issued between June 1, 2016 and December 1, 2017– you need to re-issue or replace your SSL certificate immediately. Your replacement will be free from DigiCert, who has now acquired the Symantec CA and has been working diligently for the past 9 months to replace millions of affected certificates.

To be clear, this affects all Symantec CA brands:

  • Symantec
  • GeoTrust
  • Thawte
  • RapidSSL

So make sure to verify that you’re using a logged certificate or else you’re going to be in trouble next week.

 

Author

Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.