The announcement is an addition to Apple’s Symantec CA distrust plan
Apple has clarified its Symantec CA distrust plan, which has an upcoming July 20 deadline. Any Symantec CA SSL certificates issued between June 1, 2016 and December 1, 2017 will be distrusted if they were not published to a Certificate Transparency log.
This is for Symantec CA certificates only, for the rest of the SSL/TLS ecosystem the CT deadline for Apple is still October 15. It’s worth nothing that the requirement will affect SSL/TLS use cases beyond just web content in a browser; affected applications will include:
- macOS High Sierra
- macOS apps
- iOS 11
- iOS apps
- Safari browser
This is unlikely to have a major impact as the distrust will mostly affect certificates that have already been penalized by Google’s Chrome browser and Mozilla Firefox. Additionally, Symantec, following its previous dust-ups with Google, was already under a requirement to log the certificates it was issuing, anyway.
Still, site owners will want to double-check on their Symantec CA SSL certificates lest they be distrusted by one of the big four web browsers.
How can I tell if my SSL certificate has been CT logged?
Let’s start with this, Certificate Transparency is an industry thing, end users don’t have to do anything to log their own certificates. The CAs have to do that. There are a couple of ways that you can check and see whether an SSL certificate you were issued has been logged, though. The first involves checking the certificate details in your browser.
- Navigate to your website
- Click on the padlock icon in the address bar of your browser
- Find where you can view the certificate or the certificate details
- Look for the string: ‘220.127.116.11.4.1.1118.104.22.168’
If you find it, that means your certificate is logged. That OID is the same for all CT-logged certificates. Now, the browsers display this information a bit differently. For instance, Safari displays it as such:
Firefox refers to it as the Object Identifier.
And Google makes you go through its menu, select Developer Tools from the “More Tools” section, and then navigate to security, where you can view the certificate details by clicking the “Main Origin.”
If you’re using Microsoft Edge or just don’t feel like clicking around in your browser there’s one other way to check, too. You can also use Symantec’s CryptoReport:
- Go to the Symantec CryptoReport.
- Enter your URL.
- Check for: “Certificate Transparency: Embedded in certificate”
If that line is present, congratulations! You’re good to go.
If it’s not, and you are using a Symantec CA brand SSL certificate issued between June 1, 2016 and December 1, 2017– you need to re-issue or replace your SSL certificate immediately. Your replacement will be free from DigiCert, who has now acquired the Symantec CA and has been working diligently for the past 9 months to replace millions of affected certificates.
To be clear, this affects all Symantec CA brands:
So make sure to verify that you’re using a logged certificate or else you’re going to be in trouble next week.