We’ve written several times about Google’s Chrome browser and Mozilla’s Firefox browser and how they will soon start to distrust all certificates issued by Symantec or that chains up to a Symantec root security certificate. The date that browsers will begin to display security warnings is approaching fast but their are still hundreds of thousands of website with old security certificates soon to be distrusted.
From October the 23rd 2018, the Firefox browser will distrust any TLS certificates issued by Symantec (or a parter company), regardless of when it was issued. Firefox 60 (the current release) already displays an “untrusted connection” error for any website using a TLS/SSL certificate issued before June 1, 2016 that chains up to a Symantec root certificate. Additionally, when Chrome 70 is released it too all Symantec SSL/TLS certificates will stop be trusted by Google.
PayPal’s Security Certificate will soon be untrusted
You might think this won’t impact you as eBay and Amazon have replaced their distrusted Symantec certificates, however a staggering 800,000+ Symantec certificates still need to be replaced to avoid disruption to the website. This includes none other than payments giant PayPal who still have a Symantec Certificate.
PayPal renewed their Symantec security certificate on the 22nd of September 2017 and it expires on the 30th of October 2019 so they urgently need to address the situation.
800,000 sites still at risk
Comodo Certificate Authority (CA), the largest TLS/SSL vendor and certificate authority with over 1 million TLS/SSL certificates issued worldwide, in May released findings from research conducted to determine the scope and potential consequences of the upcoming Google Chrome distrust of all former Symantec SSL certificates issued prior to December 1, 2017. At that time, they discovered more than one million certificates on the former Symantec roots that remain to be replaced in anticipation of Google’s announced October deadline. Additional testing conducted by the Comodo CA research team reveals that there are still over 800,000 certificates that need to be replaced to avoid disruption to their websites.
The sites with these certificates are feeling their first negative effects. Google has disclosed that the first users will see certificate errors as early as Friday the 20th of July – (from its first Canary release of Chrome 70) with increasing numbers of users affected until by the 16th of October when all Chrome users will see these errors.
Browsers will display a Not secure message for sites which are distrusted but worse than that, distrusted certificates will no longer enable encryption, leaving any shared information exposed.
If you’ve not verified that your security certificate will remain trusted, the list of Certificate Authorities at risk not only include Symantec but also various brands including various brands such as Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL whose security certificates chain up to a Symantec root certificate.
Sites which aren’t secure
If 800,000 sites with distrusted security certificates wasn’t a big enough problem, it’s estimated that over half of all UK websites are not secure with HTTPS and it’s not the small SMEs that you might think. There are a ton of major companies, charities, businesses and even half the government who haven’t got around to securing their websites. A case in point is my local council – West Berkshire, who still don’t have an HTTPS website.