Google Chrome 70 is coming. Are your security certificates in order?

Earlier this year, I wrote about what security professionals need to do to prepare for the upcoming Google distrust deadline. I noted that DigiCert had taken several steps that led to a smooth process this spring for the first of two distrust dates. We now have another date approaching when Google Chrome 70 will distrust all TLS certificates issued from the Symantec PKI.

Given what I’ve learned from DigiCert, I feel confident that DigiCert is managing the Chrome 70 process smoothly this time around, too.

Plan to phase out Symantec certificates

For those unfamiliar with the details of this, in 2017 Google and Mozilla decided to deprecate all Symantec-issued digital certificates based on their assessment that Symantec did not correctly validate its SSL certificates prior to issuing them to customers.

Google and Mozilla then decided to put in place a multi-step plan to distrust any certificates issued from the Symantec PKI. This plan phased out Symantec certificates over the next year and a half. Instead of following the Google plan, Symantec elected to sell its certificate business to DigiCert. Despite the transaction, the requirement to replace all certificates issued from the Symantec PKI remained intact, requiring millions of certificates to be replaced during 2018. To assist customers in replacing their certificates, DigiCert contacted each certificate holder, offering free replacement certificates chained to the trusted DigiCert roots.

The first major distrust date was on December 1, 2017, when no additional TLS certificates could be issued through the Symantec PKI. Prior to that date, DigiCert cut over all issuance processes to its PKI and validation systems. The next major distrust date was March 15, 2018, when Chrome 66 beta distrusted all Symantec TLS certificates issued before June 1, 2016. 

The final major step in this distrust event is scheduled for Oct. 16, 2018, when Chrome 70 stable will distrust all TLS certificates issued from the Symantec PKI. (This date may change based on Google’s release schedule.) Upon release of Chrome 70, any website still using a Symantec certificate will have an interstitial warning about a non-private connection.

HTTPS is now everywhere, making certificate compliance mandatory

Conventional wisdom used to be that only sites that deal with financial or other sensitive data required certificates, but times have changed. Today over 80 percent of web traffic is “https”, which includes many base pages. There has been a rapid drive to https everywhere, and it won’t be long when nearly every page is secure.

Google is ushering that along. Chrome now marks all HTTP web pages as “Not Secure” in the browser address bar. Also, even if the website is display only, the warning users will see might scare them off and cause them visit a competitor, so it’s something all security professionals that manage websites should be concerned about. 

Other platforms also crack down on Symantec certificates

It’s important to note that although Chrome 70 is where the immediate issue is, other platforms will be doing the same thing with Symantec-issued certificates. Mozilla’s date is around the same time as Chrome’s, although the user base is much smaller. Apple has not issued a final date, although the first phase has been completed, so older certificates won’t work. Microsoft still has no announced date, although the company has excellent controls for the distrust issue, so there should not be much of an impact initially.

Comply with Chrome distrust now

My advice to security leaders is to take care of the issue now, ahead of the Chrome date. Google had the most aggressive date, so complying with Chrome distrust means the other dates down the road won’t be of concern because a compliant certificate will be in place. I stated this before, but it’s worth reiterating that this is something all businesses should comply with regardless of the purpose of the website. 

Businesses that have a large number of websites might find this a burdensome process because replacing certificates manually can be time-consuming, tedious, and filled with errors due to the number of steps involved. DigiCert has put several automation tools in place to make the process of checking and upgrading easy. It isn’t full automation, as a few manual steps are required, but the process of moving from the non-compliant Symantec certificates to a current one is significantly easier than before, so complexity is no longer a barrier.

DigiCert has done a good job removing any obstacles to doing a free replacement with them. They’ve managed to simplify the process down to a couple clicks in a customer web portal, similar to how an administrator would renew a certificate about to expire.

I checked in with DigiCert, the new owner of the Symantec CA business, on how the upgrade of the Symantec customer base has gone. To date, about 99 percent of the Alexa 1 million (which makes up the vast majority of web traffic) base domains have been replaced without issue. The majority of all impacted certificates are reissued or in process. The past dates have come and gone without issue, and I expect a similar outcome with the final step coming up in mid-October.