After a series of incidents involving Symantec and its wrongfully issued certificates, Google eventually decided to distrust Symantec’s certificates in March. The company is now releasing a more detailed plan for how that process will go.
The plan was first discussed on the Blink (Chrome’s rendering engine) development mailing list with the community, and it started taking shape by the end of July of this year.
Why Symantec’s Certificates Will Be Distrusted
On January 19, after the incidents between Symantec and Google, a public posting to the mozilla.dev.security.policy newsgroup drew attention to some questionable website certificates issued by Symantec that did not comply with the CA/Browser Forum Baseline Requirements. Symantec’s Corporate Public Key Infrastructure (PKI) operates a series of certificate authorities under the brand names Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL.
In the follow-up investigation, it was revealed that Symantec had entrusted several organizations with the ability to issue certificates without the appropriate or necessary oversight. Google also claimed that Symantec had been aware of the security deficiencies of these organizations for some time, but took little or no action to fix them.
This was just one more of the several incidents that made the Chrome engineers lose trust in Symantec’s certificate infrastructure and all the certificates that could be issued by it. After Google announced its plan to distrust Symantec’s certificates, Symantec decided to sell its certificate business to DigiCert, a competitor, which would also have to rebuild the Symantec infrastructure to be more trustworthy.
Timeline For Banning Symantec Certificates
Starting with Chrome 66 (we’re now at version 61), the browser will remove trust in Symantec-issued certificates issued prior to June 1, 2016. Website operators that use Symantec certificates issued before that date should be looking to replace their certificates by April 2018, when Chrome 66 is expected to come out.
Starting with Chrome 62 (next version), the built-in DevTools will also warn operators of Symantec certificates that will be distrusted in Chrome 66.
After December 1, the new infrastructure managed by DigiCert will go into effect, and any new certificates issued by the old Symantec infrastructure will no longer be valid in Chrome.
By November 2018, Chrome 70 will come out and will completely remove trust in all Symantec certificates that have ever been issued.
Website operators can replace their old Symantec certificates with certificates from DigiCert from December 1 or from any other CA trusted by Google’s Chrome browser.