{"id":7671,"date":"2018-10-09T12:36:49","date_gmt":"2018-10-09T16:36:49","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=7671"},"modified":"2020-11-24T09:27:32","modified_gmt":"2020-11-24T14:27:32","slug":"final-warning-last-chance-to-replace-symantec-ssl-certificates","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/final-warning-last-chance-to-replace-symantec-ssl-certificates\/","title":{"rendered":"Final Warning: Last chance to replace Symantec SSL certificates"},"content":{"rendered":"

Google Chrome 70 will roll out in about a week and all remaining Symantec SSL certificates will be distrusted<\/h2>\n

\"AtThis is the last week for website owners using Symantec SSL certificates issued before December 1, 2017 to replace their certificate. Failing to do so will result in your website breaking. Next week Google will roll out Chrome 70<\/a>, which will distrust all remaining Symantec CA brand SSL certificates. This is only for websites using SSL certificates issued off Symantec\u2019s roots<\/strong>. If you have re-issued or replaced your SSL certificate after December 1, 2017 this does not apply to you.<\/p>\n

If it feels like we\u2019ve covered this topic before<\/a>\u2014we have<\/a>. Extensively<\/a>. But this morning when I got to my office my boss wheeled in a large cart with a sheet draped over it and said, \u201cI need you to beat this dead horse.\u201d<\/p>\n

So, beat it I will. Here\u2019s a rundown of what\u2019s happening, how we got here and what you need to do if this change impacts you.<\/p>\n

Let\u2019s hash it out\u2026<\/span><\/p>\n

Why do Symantec SSL Certificates Need to be Replaced?<\/h2>\n

Sit back and let me tell you the tale of a Certificate Authority and a browser and how two companies nearly broke the internet. Ok, that might be a bit grandiose\u2014but you try writing about this for the 15th<\/sup> time and see how creative you get.<\/p>\n<\/span><\/span>\n

Back in 2015 Symantec ran afoul of Google for the first time<\/a> after issuing some bad test certificates. We tend to downplay the severity of this first mistake, but it was pretty major. Google found that Symantec had been issuing unauthorized SSL certificates domains owned by Google, Opera and three other organizations. The scandal caused Symantec to fire a number of employees and Google required Symantec to begin adding all the certificates it issued to Certificate Transparency logs<\/a>. At that point in time only EV certificates were required to be logged.<\/p>\n

\"SymantecA year later, Symantec got in trouble for mis-issuing a new batch of test certificates. While Symantec claimed it was just 33 certificates Google estimated it was more like 30,000. When Google investigated further it unearthed lax oversight over validation in some regions, too<\/a>.<\/p>\n

In college sports, the worst allegation that the NCAA (US college sports’ governing body) can level at a program is a loss of institutional control. That\u2019s basically what Google alleged after the second set of mis-issuances in 2016.<\/p>\n

Now, this is where the opinion tends to split. From the browsers\u2019 perspective (not just Google, but Mozilla, Apple and Microsoft, too) these mistakes undermined faith in Symantec\u2019s entire PKI. How could any Symantec SSL certificate be trusted knowing that there was such lax oversight over the validation required for issuance. By that logic, Symantec had to be distrusted.<\/p>\n

The other camp, which was largely consistent of the commercial CA industry, didn\u2019t have a problem so much with the distrust as with the potential impact to customers and end users<\/a>. The average site owner doesn\u2019t pay any attention to the goings on of the digital certificate industry. And Symantec is one of the few brands with crossover brand recognition owing to its highly-popular Norton Antivirus product. Outside of the SSL\/TLS industry Symantec enjoys a sterling reputation, that\u2019s part of what\u2019s buoyed its market share.<\/p>\n

Customers shouldn\u2019t be punished for choosing Symantec, especially given that they didn\u2019t have any idea about these issues in the first place. And even though Google attempted to give extended timelines<\/a> for replacement, that\u2019s still effectively what happened\u2014Symantec\u2019s customers were punished.<\/p>\n

DigiCert Saves the Day<\/h2>\n

The original plan between Google and Symantec<\/a> called for issuance to be passed on to a managed CA until Symantec could rebuild its own PKI. However, that was never really a tenable solution. Fortunately, DigiCert stepped in and purchased the Symantec CA in the Fall of 2017<\/a>.<\/p>\n

\"DigiCertIn the long run, that\u2019s probably the best thing that could have happened.<\/p>\n

It\u2019s still worth pointing out what an undertaking this was though. DigiCert didn\u2019t just purchase the rights to trademarks and brands, it acquired talent and infrastructure, too. Then it had to scramble to integrate new personnel, integrate various processes and systems and scale up all aspects of its operation \u2013 support, account management, sales \u2013 to incorporate Symantec’s customer-base with its own.<\/p>\n

And all of this needed to be finished up by the beginning of December so that it could start re-issuing millions (literally, millions) of certificates before Google\u2019s deadlines.<\/p>\n

That\u2019s a near Herculean effort, and aside from one or two cases \u2013 outliers \u2013 the internet hasn\u2019t broken.<\/p>\n

So, hats off to DigiCert.<\/p>\n

What Symantec CA Brand SSL certificates are going to be distrusted?<\/h2>\n

Ok, so let\u2019s get down to brass tacks. The final Google-Symantec distrust doesn\u2019t just affect Symantec SSL certificates, it also affects the Symantec subsidiary brands, too.<\/p>\n