Google has revealed formal plans to distrust Symantec security certificates from the release of Chrome 66 in 2018.
On Monday, the tech giant’s finalized plans were posted on the official Google Security blog, which states that starting with Chrome 66, no Symantec-issued security certificate issued prior to 1 June 2016, will be accepted as valid and trustworthy.
By 1 December this year, Symantec will switch the issuance of certificates to DigiCert infrastructure, and so anything issued based on the old infrastructure after the same date will also not be trusted by Chrome.
The latest version of the Chrome web browser is 61.0.3163, but version 66 is scheduled for release to Chrome Beta users on 15 March 2018 and to standard Chrome users around 17 April 2018.
Google first made its intentions known in July, but webmasters have now been given a formal warning of the changes afoot.
The original announcement led to a serious debate on the blink-dev forum, and according to Google, granted time to Symantec to “modernize and redesign its infrastructure to adhere to industry standards.”
In 2015, a Symantec root certificate was discovered that did not comply with modern security standards, leading to Google revoking trust for the certificate. In January this year, the security firm issued test and example certificates by accident through a partner, leading to an inquiry.
Certificate Authorities (CAs) and the security certificates they issue are meant to guarantee a basic level of security, but if a CA is mistrusted, these certificates can place the end user at risk when attempting to connect to a web domain.
The refined timeline, therefore, is useful for site operators. Webmasters using a certificate issued by a Symantec CA prior to 1 June 2016 will need to replace their existing certificate before the deadline.
Around the week of 23 October, 2018 Chrome 70 is due for release, which will “fully remove trust in Symantec’s old infrastructure and all of the certificates it has issued,” according to Google.
“This will affect any certificate chaining to Symantec roots, except for the small number issued by the independently-operated and audited subordinate CAs previously disclosed to Google,” the company says.
It is still possible for webmasters to gain certificates from Symantec’s existing CA infrastructure, but they will need to be replaced prior to Chrome 70 — and they will have validity restricted to 13 months.
Google has provided a detailed timeline of the changes, which can be viewed here.
Now that DigiCert has taken over Symantec’s CA business, we can hope that new certificates will all meet modern security standards and these kinds of failures will not occur in the future.
In July, Symantec acquired mobile security firm Skycure, an Israeli company which provides a predictive threat detection platform for mobile devices.
Previous and related coverage
- Symantec to get almost $1b plus stock in certificate business sale
- Symantec revokes faulty security certificates
- Symantec tricked into removing legit certificates by security researcher