Security

Beware the looming Google Chrome HTTPS certificate apocalypse!

Well, melee. Dust-up? Minor inconvenience? But it's coming!!

By Kieren McCarthy in San Francisco

89 SHARE

Tens of thousands of websites are going to find themselves labeled as unsafe unless they switch out their HTTPS certificate in the next two months.

Thanks to a decision in September by Google to stop trusting Symantec-issued SSL/TLS certs, from mid-April Chrome browser users visiting websites using a certificate from the security biz issued before June 1, 2016 or after December 1, 2017 will be warned that their connection is not private and someone may be trying to steal their information. They will have to click past the warning to get to the website.

This will also affect certs that use Symantec as their root of trust even if they were issued by an intermediate organization. For example, certificates handed out by Thawte, GeoTrust, and RapidSSL that rely on Symantec will be hit by Google's crackdown. If in doubt, check your cert's root certificate authority to see if it's Symantec or not.

The change will come in build 66 of Chrome – due for public release on April 17 – and the problem will get even bigger on October 23 when build 70 is released and all Symantec certificates will be listed as not being trustworthy.

Of course, not everyone uses Chrome and not everyone will instantly upgrade to the latest version, but it's safe to say that it will become a very big headache very quickly for those sites that haven't obtained new HTTPS certs from other authorities.

The question is: how big a headache? Early beta testers of the Chrome build have been warning that they keep coming across websites with untrusted certificates and seeing the danger message. Fortunately, one person has gone to the trouble of running a script to figure quite how ugly it's going to get.

Security engineer Arkadiy Tetelman, who works at Airbnb according to his blog, decided to run a test in which he grabbed the certificate information from the one million biggest websites on the internet, in terms of traffic as rated by Alexa, and tested to see if they would break.

The script took 11 hours to run and turned up some very interesting results: of the one million websites, just 11,510 are going to go TITSUP in April, with 91,627 on the chopping block in October.

When businesses collide

It's still a large number and there are some big names there – car company Tesla.com, water filter company Brita.com, Australia's energy regulator at aer.gov.au, and, well, 11,507 others. It's not Y2K – these outfits can buy certs from other authorities or get free ones – but it's safe to say that there are going to be a lot of unhappy people come April if action isn't taken. And then even more unhappy people a few months later.

Fortunately, Mr Tetelman has uploaded a plain text list, so if you are a sysadmin or webmaster, we would strongly recommend doing a search to make sure you're not on it. Or, of course, be even smarter and move all your sites away from Symantec certificates.

The issue doesn't raise the slightly troubling fact that Google has basically put an entire company's certificate-issuing operation out of business by declaring that it would no longer accept Symantec certificates. That's a scary amount of power to have.

But on the other hand, it wouldn't be doing it if Symantec hadn't repeatedly screwed up and undermined trust in its own product by wrongly issuing SSL/TLS certs, including, unfortunately, the one for google.com. Not a smart move.

If you are an organization that exists purely to ensure that people can trust you, then you should expect some fallout if it turns out you can't be trusted. Symantec wasn't very happy, of course, and used a whole range of angry words in a blog post about it: words like irresponsible, exaggerated, and misleading.

It claims only 127 certificates were wrongly issued, not the 30,000 previously claimed. But here we are. A few months after its blog post and with Google refusing to budge, Symantec threw in the towel and sold off its certificate business to DigiCert.

Don't say you haven't been warned.

By the way, if it's the morning of Tuesday, April 17, and you are frantically skimming this article in between furious email alerts about your site being down, and phone keeps ringing, focus here: IT'S YOUR HTTPS CERTIFICATE! YOU NEED TO CHANGE IT. RIGHT NOW. ®

PS: Mozilla's Firefox will also distrust Symantec-issued certs from version 60 onwards, due out in May this year.

Sign up to our NewsletterGet IT in your inbox daily

89 Comments

More from The Register

Symantec shares up as private equity suitors sniff consumer tentacle

$16bn slapped on table by Permira and Advent – reports

Accenture pays for CSS injection from Symantec parent Broadcom: Yep, it bought its cybersecurity services arm

Price tag undisclosed but we're guessing it won't have made seller rich

Ye olde Blue Screen of Death is back – this time, a bad Symantec update is to blame

Updated The wrong kind of intrusion protection

Symantec share price nose dives after rumored Broadcom biz gobble taken off the menu

Looks like the ailing security shop priced itself out of an acquisition by chip giant

When the chips are down, buy a software biz: Broadcom snaffles Symantec for $10.7bn

Legacy security outfit to vanish into the 'rightsizing' grinder

Symantec boss Greg Clark exits biz amid dismal financials

Troubled security house keeps up trend of sudden resignations

Can't get infected via email if your messages aren't delivered: Seven-hour slowdown hits Symantec cloud filters

Wondering why your inbox was so clear? Bad news…

What will $15.5bn buy you? For Broadcom, it could nab itself a whole Symantec

Chip designer to make another foray into enterprise software... troubled security outfit in its sights

Profit-strapped Symantec pulls employee share scheme

Cunning plan to push top staff out? Firm keeps schtum

Symantec execs cooked the books to protect their fat bonuses, investor lawsuit alleges

Security biz hit with class-action fraud sueball after probe smashes stock price

Whitepapers

Delivering Instant Experiences: Optimizing the Performance, Cost and Capacity of Data-Driven Applications

The question is, how can you accelerate data processing to keep up with accelerating business demands for an instant experience? Get the answer to this question and more in this upcoming webinar hosted by The Register’s Elena Perez. With insight from Sheryl Sage, Director of Partner Marketing at Redis Labs, and Frank Ober, a Non-Volatile Memory Solutions Architect from Intel Corporation.

Integrating Threat Intelligence into Endpoint Security

While threat intelligence can transform an organization's security posture, it can also be complex and costly for organizations to adopt.

EMA Report: Network Detection and Response in the Cloud Comes of Age

"ExtraHop's new Reveal(x) Cloud SaaS offering for AWS takes the deployment burden away from AWS customers, enabling fast service provisioning and instant asset discovery, and providing threat detection, investigation, and response."

Detecting cyber attacks as a small to medium business

If security by obscurity is no longer an option, and inaction is a risk in itself, what can smaller enterprises do to protect themselves? Endpoint Detection and Response (EDR) solutions can go a long way towards minimising the level of threat, but they need to be chosen and used in the right way.