Release of Chrome 66 beta on March 15, 2018 marks the start of the end of trust in the Symantec SSL root CA brands

Back in September 2017 the Chrome team at Google announced plans to distrust Symantec Certificates. The plan includes all Symantec SSL Certificates, as well as the umbrella brands of GeoTrust, Thawte and RapidSSL obtained when Symantec acquired the VeriSign security business back in 2010. Between all those brands, the Symantec SSL machine was (and still is) securing a large share of the world’s secure sites – the impact of the distrust was unprecedented in an industry that has otherwise managed to keep its head above water through many incidents.

Relations between Google and Symantec had been strained for some time. Over recent years Symantec had racked up a number of black marks against its validation and issuance processes by failing to adhere to CA/B Forum Baseline Requirements (the law maker for the Certificate issuing world) and failed to remediate the problems appropriately.  In an industry selling trust, this was certainly not what one would expect from the incumbent.  After much back and forth, both publicly and privately, Google finally announced its total loss of confidence in the Symantec infrastructure and operations, and the security giant’s fate was sealed – by October 2018 all Symantec root CAs used to issue its trusted SSL Certificates will no longer be trusted.

Fortunately for website owners relying on Symantec Certificates, the distrust plan was not an immediate revocation of trust like the 2011 response to the disastrous DigiNotar.  It was to be executed over time with four major milestones that gave (in theory) plenty of time for the CA to warn and help customers replace or migrate Certificates accordingly.

Note: I’ve focused on the Chrome milestones due to its critical market share, but it’s worth noting that Mozilla are following an almost parallel distrust path with their Firefox browser. Chrome will start to distrust first, so as long as website owners live by the Chrome milestones, they’ll be just fine when it comes to Firefox.

Enter DigiCert

Shortly after announcing the distrust plans, rather than fix its infrastucture and operational issues, understandably Symantec sold its web security business. Enter DigiCert, a Utah based Certificate Authority that’s grown a strong SSL business primarily from its reputation as a high assurance SSL provider with great customer support. DigiCert has an exemplary record in the industry, and has been leading the CA/B Forum and running its CA business by the rules for many years. Since the acquisition, the company has been busy migrating its newly acquired customers over to the DigiCert PKI/SSL infrastructure, which means reissuing all existing Symantec SSL Certificates using the DigiCert systems and the DigiCert root CA embedded within the browsers.

Replace your Symantec Certificates now – there is still time

All things considered, Symantec & DigiCert have done a decent job at communicating the milestones to customers. For sites with limited numbers of SSL Certificates, this is certainly an annoyance but the overhead of replacing the Certificates is manageable. For larger companies with multiple Certificates across multiple business units, arguably the largest component of Symantec’s enterprise focused business, this is a major headache. In recognition of the pain, DigiCert and Symantec have made available a simple SSL distrust check tool for website admins to check their domains and the distrust status of any installed SSL Certificates.

Symantec distrust tool

Symantec/DigiCert distrust analysis tool. Maybe Symantec hasn’t replaced their own Certificate to show it works??

If you haven’t yet replaced your Symantec, GeoTrust, Thawte or RapidSSL Certificates, and you’re having problems using the tool or ascertaining your company’s SSL situation, you should contact your provider immediately. In the rush to replace Certificates, especially if you have purchased Certificates through a reseller you may be tempted by said reseller to use their online tools to help the key generation appear easier. But as we’ve astonishingly seen these last weeks, in the longer term such ill conceived shortcuts only go to undermine the basic security principles of web PKI and you’ll end up reissuing again (or worse, theoretically being impersonated).

Whereas most visitors won’t be affected until the stable release on April 17, 2018 that’s really not so far away, especially if your infrastructure relies on multiple Certificates and across multiple applications. So better to act now rather than react when your website starts presenting security warnings.

The added complexity of using third party software and services on your website

Modern websites are built from pooling many different sources – analytics, feedback, live help etc. This adds another layer of complexity because you don’t control the Certificates held by the service providers you’ve built into your website. Firstly you need to check that the provider is communicating with your website over SSL, this mean looking at the HTML code on your page and verifying that the connection is over https (a quick control-f to then find “http://” is the easiest way). Secondly, you should check with the service provider to make sure they’re not at risk of their Certificate being distrusted over the next few days. Any service provider worth their salt should be on top of this… but then, you know how real life is.

The below example shows Google tag manager web page code connecting over SSL. This is usually a very good thing, unless the SSL Certificate on googletagmanager.com is about to be distrusted (which for the record, it’s not).

<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-XXXXXX');</script>
<!-- End Google Tag Manager -->

An emotional goodbye to the GeoTrust root CAs

On a final and somewhat personal note, it’s somewhat sad to see the distrust of the GeoTrust and RapidSSL brands come into actual effect.  I co-founded GeoTrust Europe back in 2003, and GeoTrust’s executive and operations team were some of the smartest people in the industry.  Of course, they have all long moved on since being acquired by VeriSign and then by Symantec, but nevertheless it’s a shame to see the unfortunate fate of this once innovative CA.  I do wonder if the brand will get a new lease of life under DigiCert command.