Apple to Distrust Non-CT logged SSL/TLS Certificates July 20
The announcement is an addition to Apple’s Symantec CA distrust plan
Apple has clarified its Symantec CA distrust plan, which has an upcoming July 20 deadline. Any Symantec CA SSL certificates issued between June 1, 2016 and December 1, 2017 will be distrusted if they were not published to a Certificate Transparency log.
This is for Symantec CA certificates only, for the rest of the SSL/TLS ecosystem the CT deadline for Apple is still October 15. It’s worth nothing that the requirement will affect SSL/TLS use cases beyond just web content in a browser; affected applications will include:
- macOS High Sierra
- macOS apps
- iOS 11
- iOS apps
- Safari browser
This is unlikely to have a major impact as the distrust will mostly affect certificates that have already been penalized by Google’s Chrome browser and Mozilla Firefox. Additionally, Symantec, following its previous dust-ups with Google, was already under a requirement to log the certificates it was issuing, anyway.
Still, site owners will want to double-check on their Symantec CA SSL certificates lest they be distrusted by one of the big four web browsers.
How can I tell if my SSL certificate has been CT logged?
Let’s start with this, Certificate Transparency is an industry thing, end users don’t have to do anything to log their own certificates. The CAs have to do that. There are a couple of ways that you can check and see whether an SSL certificate you were issued has been logged, though. The first involves checking the certificate details in your browser.
- Navigate to your website
- Click on the padlock icon in the address bar of your browser
- Find where you can view the certificate or the certificate details
- Look for the string: ‘1.3.6.1.4.1.11129.2.4.2’
If you find it, that means your certificate is logged. That OID is the same for all CT-logged certificates. Now, the browsers display this information a bit differently. For instance, Safari displays it as such:
Firefox refers to it as the Object Identifier.
And Google makes you go through its menu, select Developer Tools from the “More Tools” section, and then navigate to security, where you can view the certificate details by clicking the “Main Origin.”
If you’re using Microsoft Edge or just don’t feel like clicking around in your browser there’s one other way to check, too. You can also use Symantec’s CryptoReport:
- Go to the Symantec CryptoReport.
- Enter your URL.
- Check for: “Certificate Transparency: Embedded in certificate”
If that line is present, congratulations! You’re good to go.
If it’s not, and you are using a Symantec CA brand SSL certificate issued between June 1, 2016 and December 1, 2017– you need to re-issue or replace your SSL certificate immediately. Your replacement will be free from DigiCert, who has now acquired the Symantec CA and has been working diligently for the past 9 months to replace millions of affected certificates.
To be clear, this affects all Symantec CA brands:
- Symantec
- GeoTrust
- Thawte
- RapidSSL
So make sure to verify that you’re using a logged certificate or else you’re going to be in trouble next week.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown