Symantec cert holdout sites told: Those Google Chrome warnings are not a good look
Users will stop trusting you, warns researcher
Many high profile UK sites still use Symantec certificates just days before Google will begin the process of dropping support for them with the next and upcoming releases of its Chrome browser.
Symantec certificates issued prior to 1 June 2016 will stop working with the Chrome 66 (stable) release* on 17 April 2018. The Chrome 70 release, expected in the week of 23 October 2018 will spell the end of trust for all Symantec-issued certificates, as explained in a blog post by Google here.
Google plans to “reduce, and ultimately remove, trust in Symantec’s infrastructure in order to uphold users’ security and privacy when browsing the web” last September after its Chrome team lost “confidence in the trustworthiness of Symantec’s infrastructure” following a series of alleged infractions against industry best practice.
These sanctions were imposed by the community rather than Google alone. The road to this particular perdition is explained in a long thread on Mozilla's Dev Security Policy mailing list here.
Who needs a fix?
Security researcher Scott Helme makes use of web crawlers to collect daily data on the top 1 million sites. He created a script to go through the certificates collected by his crawlers, before parsing them all to see who is still using a Symantec certificate that will soon be distrusted.
“There are 11 sites in the top 10,000 sites on the web that will break in M66, 502 in the top 1 million sites [unless they replace their certificate],” Helme reports. “M70 is further away [October] but there's still 4,971 sites that will break when that version is released.”
Helme’s latest figures are an update from a similar exercise he carried out in February, when he discovered that 8,000 sites that will stop working in April or October unless they replace their certificate. Within this group 1,321 will stop working in April, a figure that has since dropped to 502. “This list is not exhaustive, there's bound to be a few more that were missed.,” Helme told El Reg. “What I can say though is that the ones in the list are definitely affected.”
Sites whose digital certificates are slated for disavowal with the release of Chrome 66 next month include the RAC.
Left as things stand, surfers using Chrome 66 will see a big, red warning when they visit the RAC’s website. This is already happening for users of beta versions of Google’s Chrome 66 browser technology or users of Chrome Canary (which is always several versions ahead).
Surfers can just click past such warnings but this is undesirable.
In response to queries from El Reg, the RAC said it was aware of the issue and the offending digital certificate will be swapped out before Chrome 66 goes mainstream, on 19 April. “This is something our team is aware of and new certificates will be applied to our sites shortly, and ahead of the next Chrome coming out of beta,” a spokesman for the motoring organisation told El Reg.
Children’s charity the NSPCC is also affected by the same Symantec cert browser warning issue issue. El Reg also notified the NSPCC but we’ve yet to hear back from that quarter.
Several prominent UK organisations need to re-up their certificates before October. These include ScotRail and banks in the RBS Group (Natwest, Royal Bank of Scotland and Ulster Bank), retailer House of Fraser and broadband outfit Gamma Fibre Ethernet.
IT firm SonicWall also needs to swap out its digital certificate before an October deadline.
El Reg identified issues in the named sites on Tuesday 20 March after going through a list supplied to us by Helme in October. Other organisations that needed to swap out their certificate then have already done so since. Businesses that have crossed "changing our digital certificates" from their to-do list include the UK National Lottery and car-park firm NCP.
Reg readers can verify these findings by going to any of these sites and looking in the Developer Tools bundled with their Chrome browser. In the console there will be an error message confirming these sites will stop working in with the release of either M66 (Chrome 66 in April) or M70 (Chrome 70 in October).
Symantec sold off its entire CA business to DigiCert last August in preparation for exiting the market. Website operators have the option to transition to DigiCert or other providers. Those using a Symantec certificate will need to replace it soon or else risk they'll inadvertently erect digital barriers to prospective customers.
“My worry is that the wider community doesn't seem fully prepared for the distrust and the impact it will have,” Helme warned. ®
* Chrome Beta users get access on March 15, 2018