So far, so good for Symantec customers affected by Google distrust issue

In 2017, Google made the decision to deprecate all Symantec digital certificates based on its view that Symantec did not correctly validate its SSL certificates before being issued to customers.

The result? Google chose to put a plan in place to distrust any certificates issued by Symantec and any of the certificate authorities (CAs) under Symantec ownership, including Verisign, Equifax, GeoTrust, Thawte, and RapidSSL. Google wasn’t so draconian that it chose to immediately distrust any and all Symantec certificates. Instead, it put in a plan to phase them out over time, giving customers a chance to find a solution. 

Symantec sells its CA business to DigiCert

At the time of the decision, Symantec was the largest CA. It decided to sell that part of its business to DigiCert, a leading CA highly regarded for its security practices and customer care. The deal completion was announced Oct. 31, 2017. DigiCert’s focus on the certificate issuance and management process have made it a favorite among technologists. DigiCert elevated its status with the deal from the second-most used CA for businesses to the global leader.

The deal completion gave DigiCert just one month to tie in Symantec customers to DigiCert’s validation and issuance systems. This was required to comply with the first date in the process: Dec. 1, 2017, when all new Symantec and sub-brand certificates needed to be issued from trusted DigiCert roots. Working diligently, DigiCert’s teams met this first requirement.

The Google distrust transition has begun

The next significant date in the process was March 15, 2018, when the Chrome 66 beta distrusted all Symantec certificates issued prior to June 1, 2016. This obviously created a certificate renewal event that may not have been there in the past, but DigiCert put a lot of effort into helping customers comply with this date, and the large majority took advantage.

April 17 marks the Chrome 66 stable distrust when most web users will notice warnings for any site yet to take action. Having helped customers with Chrome 66, DigiCert is already advising Symantec brand certificate holders to get free replacements ahead of Chrome 70 distrust, which starts with Chrome 70 canary in July of this year and ends with the stable version release in October.

DigiCert CEO discusses the transition

Recently, DigiCert held its annual user event, and I had an opportunity to sit down with its CEO, John Merrill, to find out how the transition has been going both from the perspective of his company and his customers. 

Zeus: Where are you and your customers and partners with the Google distrust issues?

DigiCert

John Merrill: It was tough at first because of the demand being exponentially larger than anticipated, but we’ve made a lot of progress since that time. Most customers and partners have taken action to address the Chrome 66 distrust, and we are looking toward the next phase with Chrome 70. We’ve made significant efforts to reach customers, sending about 700,000 emails, calling customers directly, hosting webinars, providing instructions on how to get free, trusted replacement certificates, and providing tools that simplify the process. We believe most customers will be fine, but we are especially focused on the long tail of companies that require extra attention.

This seems like a massive change to your business. How have your systems performed?

John Merrill: At DigiCert, we have always prided ourselves on having the industry’s best service, and events like the Chrome 66 distrust and the one coming up with Chrome 70 are really unique — unlike what our industry has seen before. Couple this with the fact that we had about a month to get ready to switch validation and issuance to our systems by Dec. 1, and it admittedly did put a strain on our systems and processes. Our customers and partners felt the impact, but we believe the initial wave is now behind us and we are seeing much better processing times for certificate issuance. We have done a number of upgrades to our systems, as well, and are prepared for the second phase of distrust with Chrome 70.

I understand you’ve made the upgrade process easier for DigiCert and former Symantec customers?

John Merrill: Yes, that’s one of the upgrades we have made to our system. Years ago, the process of renewing certificates was filled with manual steps. There was no easy way of tracking expiration dates, and once you did renew, it took several steps to update affected web server(s).

Today, we have a portal that lets administrators check the status of a certificate. And if it needs to be renewed, it’s as simple as clicking a link and reinstalling. For customers that have dozens, hundreds or even thousands of web servers, the automated process saves a significant amount of time and cuts down on human errors.

We’ve also put in place bulk ordering tools that allow customers with a large amount of Symantec-issued certificates to request replacement certificates one time, rather than manually requesting a replacement for each one. Eventually, I envision the certificate provisioning process will be completely automated with no human interaction at all, except for the identity verification processes.

Given the final Chrome 70 date is in September, is renewing now something customers really need to worry about?

John Merrill: Our advice is absolutely to do it now. The dates are coming, with Chrome 70 canary and then the beta release planned for September. We all know that, so why delay? A worst-case scenario would be to have a problem with a last-minute upgrade process and wind up with a certificate that is not trusted by the browsers. Your website will still work, but people visiting it will be greeted with a message from Google warning that it’s not secure. Some sites contain information that companies may think doesn’t need to be secured, so one might think it’s no big deal if it’s non-trusted, but warnings like that do scare people off.

Everyone that is impacted by the Google distrust issue should reissue their certificates as soon as possible and put it behind them. We offer replacement certificates for free to last through the current validity period. We are ready to help customers.

Thanks, John. Any final words?

John Merrill: Yes, I just want to thank all of our customers and partners for their patience and willingness to work with us through this process. It’s certainly a big change for everyone, but we believe we have the right systems, processes, and tools to make keeping trust in Chrome easy. As we help customers transition beyond browser distrust and onto our trusted systems, we are excited about our future. We have the right collection of talent and resources, along with a sharp focus, to move SSL, PKI and related IoT security offerings forward in a positive direction. We look forward to leading the market toward a better way of doing business.