The Google Chrome 66 browser update is scheduled to be released to Chrome Beta users tomorrow, the 15th of March 2018 with full roll out to all Chrome users around the 17th of April 2018. If your website has Transport Layer Security (TLS) security certificates issued by Symantec then it may be untrusted after these dates.
TLS is the protocol which replaced Secure Sockets Layer (SSL), although everyone still tends to refer to SSL – it’s what puts the S into HTTP making it HTTPS in URLs – you should be able to see it at the beginning of every Tamebay URL alongside a green padlock.
The back story is that Google reckon Symantec were a bit naughty and allowed a few companies to issue their certificates that didn’t comply with industry standard guidelines. To wipe the slate clean, Google will simply stop trusting certificates issued before 1st of June 2016 along with those from various brands such as Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL.
This is all part of the efforts by Google and other browsers to keep Internet users safe – which is why eBay have insisted that all third party content be hosted on secure servers in listing descriptions. Once you get the Chrome 66 update older certificates will be untrusted and this will be prominently flagged in the browser bar.
Even worse, starting in Chrome 70, all remaining Symantec SSL/TLS certificates will stop working, resulting in a certificate error. The first Chrome 70 Beta release will be around the 13th of September 2018 with early releases from the 20th of July 2018.
Are the major UK marketplaces affected?
Naturally we checked and both eBay and Amazon, the two biggest marketplaces in the UK both have security certificates and not particularly surprising they are both issued by Symantec Corporation.
eBay’s security certificate was issued on the 24th of August 2017 and Amazon’s was issued on the 7th October 2017 so both these marketplaces will be unaffected this month, as will Gumtree who also have a Symantec certificate dated 13th September 2016. However, come July and definitely by September’s beta Chrome 70 release it looks like their certificates will need to be replaced.
NotOnTheHighStreet, OnBuy and Gameseek all have certificates from COMODO with Flubit‘s certificate issued by GlobalSign. Yumbles has a certificate issued by Amazon and Etsy‘s certificate is from DigiCert (NB DigiCert have acquired from Symantec Corporation the business of providing and supporting Symantec’s Website Security and PKI products and services so will issue certificates in the future).
Are your website security certificates still good?
It is worth you checking your server certificate, which you can easily do by visiting your own website and then clicking on the green padlock in your browser bar. You’ll only need to worry this month if your server certificate was issued earlier than the 1st June 2016 in which case speak to your website host. However if it was issued by one of the companies named above you’ll also want to get a new certificate before Chrome 70 is released.
There may not be many companies with older certificates, but Brita.com still have a GeoTrust Symantec certificate issued on the 9th of April 2015 so they urgently need to update… which they’ll be forced to soon anyway as it expires on the 11th of May this year.
3 Responses
We have GeoTrust QuickSSL Premium issued 24/04/2017 I take it this will be another waste of money. We are all Https green padlock
loosely related whinge:
remember when ebay made us change all our links to https?
thousands if not millions of combined man-hours wasted, listings blocked, stressful times for all.
well it’s all necessary for such a marketplace, isnt it?
i said no at the time and i’ll stand by that no.
a company like facebook has that problem tenfold, their users aren’t “professional” sellers, they can’t start docking money off facebook users for not following google’s link best practices. so what do they do? delete half of facebook? ban links? hide profiles?
or sort it all for you automatically and effortlessly, retain better security ranking than ebay, and generally come across as a company that cares about their user base.
“oh you appear to have typed an insecure https:// link….
let me just check if that site is on the list of https:// sites google holds.
oh it is, so i’ve changed your link to more secure https://
you don’t need to do anything. you’re welcome”
how hard would it have been for ebay to code that same solution? not hard at all.
but obviously 4 hours of ebay staff time is worth more than 400,000 hours of ebay seller’s time.
For those with Symantec/Geotrust/Thawte/RapidSSL certs, here’s a resource to help you: https://www.digicert.com/replace-your-symantec-ssl-tls-certificates/