Massive disruption is coming to websites that use digital certificates issued by Symantec or the brands that it has owned - Verisign, Thawte GeoTrust, and RapidSSL. One third or more of the net’s SSL certificates could be affected.
Effective this week, both the Chrome and Firefox browsers will not accept any SSL certificates issued by Symantec that were issued before June 2016. Symantec certificates that were issued after that date will not be accepted by both browsers starting in September 2018.
These drastic measures have been in the making for about a year. In March 2017 Google announced that it had lost all confidence in certificates issued by Symantec.
What had gone wrong? In short, the way how Symantec was issuing the certificates. Its issuance methods could allow untrusted third parties to issue certificates on Symantec’s behalf - without oversight. The rules that Symantec ignored had been decided by the industry standards group, the CA/B Forum, for certificates used in securing HTTPS connections.
Today, Google is scheduled to fully release the Chrome 66 browser. This version will warn users that sites using Symantec certificates issued before June 2016 have a connection which is not secure or private. Chrome will also display a button that will take them "Back to safety.” The release of Chrome 70 in September will bring the same depreciation to all Symantec-issued certificates regardless of issue date.
Image: Santeri Viinamäki
Because of this distrust of its certificates, Symantec was forced to sell its Certificate Authority business to another company, DigiCert, which is now administering it. DigiCert is offering no-charge certificate replacements. However, the process will force a major validation that will apply to all re-issued certificates:
- First, recipients (for all types of replacements) must prove they have control over the domains that are specified on the certificate replacement request. That means the domain administrator, not the certificate administrator. This process is referred to as Domain Control Validation or DCV. The default DCV method is email validation. DigiCert will send an authorization email to the registered owners of the domains listed publicly on a WHOIS record.
- Second, for Organization Validation (OV) and Extended Validation (EV) certificates, there will be a telephone call placed to the verified phone number. The respondents will have to provide the legally-registered organization name exactly as it has been reported.
- Third, for OV and EV requests, there will have to be an online presence for the organization with a trusted third party like Dun & Bradstreet.
The revalidation process may cause delays for sites in obtaining their reissued certificates, especially if the process is put off until near the cutoff deadline. But it seems that this revalidation process was the price DigiCert had to pay to obtain trust for reissued Symantec certificates.
Certificates are supposed to make the internet more secure. They should help websites and browsers to communicate with some level of trust. But as pointed out in my earlier post about HTTPS on this blog, let’s keep in mind that certificates don’t automatically equal security.
Compromised certificates are still all-too-common and can provide a cloak for all sorts of phishing attacks and privacy violations. That Symantec allowed unknown or poorly known entities to generate certificates while under their watch should serve as another reminder that the internet wasn’t built for security and data protection.
Certificates are just one of the many - imperfect and increasingly complex - ways to patch up the inherently vulnerable foundation of the web. More often than not, they fulfill their limited promise.
But then they don’t, and your organization’s IT should be prepared for it.
Larry Loeb has been online since uucp "bang" addressing (where the world existed relative to !decvax) and served as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. He wrote for BYTE magazine, was a senior editor for the launch of WebWeek, and authored books on the Secure Electronic Transaction Internet protocol and "Hack Proofing XML" (his latest). Larry currently writes about cybersecurity for IBM's SecurityIntelligence as well as Security Now.