Google to kill Symantec certs in Chrome 66, due in early 2018

This is how trust ends, not with a bang but with a whimper

By Richard Chirgwin


Google has detailed its plan to deprecate Symantec-issued certificates in Chrome.

The decision to end-of-life its trust for Symantec certificates was the outcome of a long tussle over dodgy certificates, which came to a head when certs for and various permutations of escaped into the wild.

The absolute end-of-trust date is still some way off, in March 2018, but in this post, Google fills in many of the steps between now and then.

By the death-note date, all Symantec-issued TLS certificates older than June 1, 2016 must be replaced.

Chrome will distrust those certificates as of version 66 - due around March or April 2018, but Google's going to start adding warnings from Chrome 62 which should land in October 2017.

As we reported in August, Symantec is handing its infrastructure over to DigiCert, and that's due to be operational by December 2017.

To comply with Google's July ultimatum, DigiCert will run both the PKI infrastructure and the Managed Partner Infrastructure to oversee certificate sales.

Google says from that point, any certificates issued by Symantec's old infrastructure will be listed for distrust in “a future Chrome update.”

Chrome 70 is another important milestone as it will kill off “any certificate chaining to Symantec roots, except for the small number issued by the independently operated and audited subordinate CAs previously disclosed to Google.”

That will impact site owners who need to get certificates from Symantec's old infrastructure between now and December 2017, Google explains, because they'll need to go through another round of certificate replacement before Chrome 70. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Profit-strapped Symantec pulls employee share scheme

Cunning plan to push top staff out? Firm keeps schtum

Symantec execs cooked the books to protect their fat bonuses, investor lawsuit alleges

Security biz hit with class-action fraud sueball after probe smashes stock price

Mozilla grants distrusted Symantec certs a stay of execution, claims many sites yet to make switch

Delay 'in the overall best interest' of Firefox users

Symantec cert holdout sites told: Those Google Chrome warnings are not a good look

Users will stop trusting you, warns researcher

Shiver me timbers: Symantec spots activist investor Starboard side

Time for cyber-security firm to pull up the baggywrinkle?

Symantec culling 8% of workforce to soak up slow enterprise sales

Hundreds of jobs to go

Peace in our time! Symantec says it can end Google cert spat

It's basically a promise to do better and not mess things up

Symantec ends cheap Norton offer to NRA members

NRA calls it 'a shameful display of political and civic cowardice' and some users agree

Chrome 66: Get into the bin, auto-playing vids and Symantec certs!

Lucky 66 lands, complete with Spectre mitigations

Dr Symantec offers quick and painless checkup for VPNFilter menace on routers

Traffic-fiddling malware may have met its match