Mozilla Pushes Back Symantec Distrust Date
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Mozilla Pushes Back Symantec Distrust Date

Enough websites still haven’t replaced their Symantec CA brand SSL certificates, so Mozilla is hitting pause.

Yesterday we gave one final warning to website owners that with the upcoming release of Google Chrome 70, if they haven’t already replaced their Symantec CA brand SSL certificate their websites would break.

And while Google is still moving full-speed ahead with its distrust plans, Mozilla – who had originally announced it would match Google’s plan – is now hitting the pause button on said distrust.

In a blog post from earlier today, Wayne Thayer, the head of Mozilla’s root program, announced that due to the number of websites that have not swapped out their ill-fated SSL certificates, Mozilla will not be pushing ahead as scheduled.

Unfortunately, because so many sites have not yet taken action, moving this change from Firefox 63 Nightly into Beta would impact a significant number of our users. It is unfortunate that so many website operators have waited to update their certificates, especially given that DigiCert is providing replacements for free. We prioritize the safety of our users and recognize the additional risk caused by a delay in the implementation of the distrust plan. However, given the current situation, we believe that delaying the release of this change until later this year when more sites have replaced their Symantec TLS certificates is in the overall best interest of our users. This change will remain enabled in Nightly, and we plan to enable it in Firefox 64 Beta when it ships in mid-October.

According to Mozilla, more than 1% of the Alexa top 1,000,000 (over 10,000) are still using Symantec CA brand SSL certificates issued before December 1, 2017.

Mozilla Firefox pushing back Symantec distrust
Graph courtesy of Mozilla

If you don’t know how to read that graph, that makes two of us. I’m kidding, horizontally you can see the date range from June 2018-October 2018. Vertically, you can see the percentage of sites that still have one of the soon-to-be distrusted Symantec SSL certificate installed. According to this, 4 of the top 100 websites are still sporting outmoded Symantec certificates, too.

Mozilla pushes back distrust of Symantec SSL certificatesUnpacking this all a bit more, Firefox Nightly is basically Mozilla’s version of Chrome Canary. It’s an advance browser where Mozilla tries out new features and gets community feedback from advance users. Nightly is updated pretty much daily and is usually a couple of versions ahead of the stable version of Firefox that’s current.

Firefox Nightly has already distrusted Symantec CA SSL certificates issued before December 1, 2017. Fortunately, a small enough percentage of people use Nightly that there was minimal impact. What Mozilla is hitting pause on is moving the distrust into its Beta browser as a default. It will still be enabled, should users want to activate it, but overall Mozilla is pausing on its distrust to give websites more time to replace their certificates.

Google, on the other hand, is unlikely to wait. So our advice still stands, if you haven’t already replaced any Symantec CA SSL certificates issued before December 1, 2017 – do it now.

Because while Mozilla might give you a break, Google still plans on breaking your site.

As always, leave any comments or questions below…

Hashed Out by The SSL Store is the voice of record in the SSL/TLS industry.


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.