• United States



by Staff Writer

Symantec to start revoking customer’s SSL certificates by October 1

Sep 13, 20132 mins
Application SecurityCertificationsData and Information Security

Vendor plans to revoke certs using anything other than 2048-bit keys by the end of the year

If customers don’t revoke weak SSL certs soon, Symantec will do it for them. Everyone else is advised to do so by December 31.

In a company blog post, vice president of Symantec Trust Services, Tom Powledge, said that in order to “help its customers” during the holiday season, Symantec will revoke SSL certificates that are using something other than 2048-bit keys.

The security giant is making this move as a preemptive measure against the pending December 31 deadline imposed by the Certification Authority/Browser (CA/B) Forum and the National Institute of Standards and Technology (NIST) for Certificate Authorities to halt the issue of 1024-bit certificates.

The reason for the change is technical. Simply put, the CA/B and NIST realized that as computing power expands, the strength of certificates needs to grow too, else they can become vulnerable to compromise by determined attackers. In 2011, the CA/B updated their Baseline Requirements to address weak SSL certificates, in addition to other things such as length of time they’re valid.

In August, Google started switching all of their certificates to 2048-bits, following plans outlined in May, which include issuing a new root certificate as the previous one used a 1024-bit key. Google is the first of many companies following the CA/B guidance. Others planning to make the switch, if they haven’t already, include Mozilla, Apple, Microsoft and Opera.

According to their timeline, Symantec says that customers with SSL certificates less than 2048-bits that expire before December 31 will not have them revoked automatically on October 1. However, when they’re renewed, they must be at least 2048-bits. All other customers with SSL certificates less than 2048-bits that expire after December 31, will have the next 16 days to revoke and replace them, before Symantec revokes them.

“If you do not act before your certificate is revoked, it could lead to any number of less-than-ideal situations: browsers blocking visitors from your website, customers receiving security warnings before visiting, transactions left unprotected and susceptible to fraud, and Trust Seals disappearing from your website,” Symantec warned.

Symantec customers who wish to test their certificates to see if they’ll need upgraded, can do so here.