Symantec Certificates Are Not Being Dis-Trusted on August 8th
Don’t worry, your certificates are not days away from being invalid.
If you have been following the Symantec/Google (and Mozilla) saga you likely know two things: it has been very confusing, and if you use Symantec certificates (or any of its other brands – RapidSSL, Thawte, or GeoTrust) you are going to need to replace your certificates at some point.
Google announced its final plan last week – which will affect existing certificates starting April 2018. However, we have seen that some users are still confused if this is accurate. This post is here to set the record straight.
Google’s previous and now outdated proposal would have had a large number of Symantec certificates becoming invalid on August 8th, 2017 – as in, a few days from now. This is no longer applicable – it’s not happening.
Instead, Google opted to push back any action involving existing certificates until April 2018 (in the “Stable” version of Chrome – which most end users use. See our note below on pre-release versions). To learn about Google’s final proposal, which you should be planning your changes around, please read this dedicated post.
Some have been concerned that the lack of an official post on Google’s Security Blog means it is unclear what plan is being put into action.
We understand the value of a Professional & Official Post – especially when you are about to convince your organization that they don’t need to worry about certificate errors in 4 days.
But since that does not exist, we are hoping this post can be the next best thing. We are going to provide citations and everything to give you (and your coworkers) all the reassurance needed to enjoy your weekends.
- First, let’s look the proposal posted on July 27th. Darin Fisher, VP of Chrome Engineering, wrote:“Representing Google Chrome and the Chromium open source project, what follows is our final proposal on this matter….Chrome 66 will distrust Symantec-issued TLS certificates issued before June 1, 2016, which is tentatively scheduled [to release] on April 17, 2018.”
This was the post that superseded previous plans and is Google’s final and current dates for removing trust for existing certificates.
We will say it again: it starts April 2018.We will again plug our summary of Chrome’s final plan of action – read this if you want to see all the relevant dates and changes.
- A second post from a Googler, this one by Devon O’Brien, who works on Chrome’s Security team (see their by-line on this official blog post), reaffirms that the older plan is outdated:“The previously-stated August 2017 dates are no longer applicable.”
- Finally, Peter Bowen, who runs Amazon’s Certificate Authority and is an expert on how browser trust works, explained (in two different posts) that at this point it would be technically impossible for Symantec certificates to be affected on August 8th because no code has been added to Chrome to do that:“As of this morning [August 3rd], there is zero code landed in Chromium to implement any of the changes here, so August 8 is very much not happening”
Hopefully, this can set the record straight and clear up any confusion people may have had. It’s April 2018, not August 2017. Capisce?
A Note On “Beta” and “Canary”
Google distributes four versions of Chrome: “Stable,” “Beta,” “Dev,” and “Canary.” It refers to these as its ‘channels.’
The Stable channel is the version for the general public. This is the fully-tested, ‘standard’ version that is on hundreds of millions of computers.
The other three versions are all pre-release versions that allow you to test upcoming versions of Chrome before they are finalized. That does not mean these are some sort of unstable, crazy-looking alternatives. For the most part, the other three Chrome channels look and feel the same and are fairly usable.
Each channel is ‘rougher’ than the last – meaning it has been tested less and has more bugs. Each Chrome version passes through the channels – starting at Canary, usually months in advance – and makes its way to Stable when it is ready for prime time.
The majority of your website’s customers and visitors will be using Stable, however, some small percentage will be on one of the other channels and will see Symantec certificates become untrusted earlier.
So, if you can, you should try to replace affected certificates early in order to avoid inconveniencing this small portion of users.
Here is an approximate breakdown of when Chrome versions 66 and 70, the two versions which will have changes for Symantec certificates, release for each channel. The exact dates may change slightly due to delays or distribution:
Stable | Beta | Canary | |
Chrome 66
Certificates Affected:
Any Symantec certificates issued before June 1st, 2016 |
April 17, 2018 | March 15, 2018 | Jan 19, 2018 |
Chrome 70
Certificates Affected:
ALL Symantec certificates issued from their current roots (which will be everything issued before December 1st, 2017). |
Oct 23, 2018 | Sept 13, 2018 | July 31, 2018 |
(These dates are calculated from Darin Fisher’s post and from this Chromium page. The Dev channel is not included because it does not have a strict release schedule.)
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown