Reading time: 9 minutes
At the end of July 2017, Google announced its plans to gradually block all SSL certificates of Symantec group. This step is unprecedented: Symantec ranks third in the number of SSLs around the globe. Our customers often purchase ISPmanager control panel in combination with Symantec certificates. Over the last month we constantly faced questions about how Google decision would impact websites. We have got to the bottom of this situation and now are ready to tell you our recommendations.
Background
Google accused Symantec of security standard violations in March 2017. At that time, the SSL department of Symantec had issued 108 improper EV certificates; also, Symantec team members had been generating SSL certificates for domains without permission of their owners. Google threatened to block all certificates of this certification authority and was backed by Firefox.
Despite that Symantec had promised to fix all violations, at the end of July Google announced its consequent plan to withdraw trust in Symantec certificates. On August 2, Symantec announced selling its SSL business to DigiCert. A lot of website owners have questions about what happens to their websites if they have Symantec certificates installed. In the following article we will bring Google plans into focus and give our advice on what and when you should do if you have a Symantec certificate.
Who can be affected?
The changes will affect websites that use or plan to use certificates issued by Symantec group. This group includes the following brands:
-
Symantec
-
GeoTrust
-
Thawte
-
RapidSSL
We recommend to read this article if you have one of the certificates mentioned above.
Please note! Do not panic now. All changes will come in force not earlier than in 2018, so you have enough time to get ready.
What does it have to do with Google?
Google believes that its mission is to make the Internet more secure, especially in terms of users who shop in Internet and leave their personal data. Also it is important to secure kinds against abuse, cruelty, and undesired information. This is why Google teaches people how to secure their work in the web, develops tools for enhanced security of its services, and makes them available to other companies. Google uses HTTPS encrypted connection and appeals others to do the same. For this, they included HTTPS in the list of parameters impacting website ranging in Google search. Google spends millions of dollars annually as grants and bonuses for independent experts who help finding and eliminating errors and vulnerabilities in various Google services. As you can see now, Google really cares about security in the Internet.
Why Google lost trust in Symantec?
Symantec is one of the leading certification centers, issuing around 14% of all certificates. Despite these numbers, the company was not able to guarantee compliance with SSL issue standards.
For example, in 2015 Symantec issued certificates on domains without permissions of their owners. At that time, abusers succeeded to get certificates on Google domains, such as google.com, gmail.com, and gstatic.com. In January 2017 the center issued 108 improper EV certificates. Such certificates normally have the strongest security requirements. Violation of these rules by Symantec could have allowed abusers to get access to these SSLs. Also, in March 2017 it was found out that four third-party companies have the ability to issue certificates on behalf of Symantec, without proper control from the authority.
All these violations resulted in lost trust from Google and Mozilla Firefox. It means that users visiting websites with Symantec certificates would see alerts about insecure connection.
What Google, Symantec and DigiCert plan to do now?
Symantec (or DigiCert after December 1) and Google arranged the action plan to allow website owners to have enough time to renew or replace their SSL certificates. The plan of changes is the following:
October 24, 2017. Chrome 62 stable version is out. It will show notifications for certificates that have become untrustworthy in Google 66. This way you can be sure about whether these changes would affect your certificate. Open your website in Google Chrome and go to More tools - Developer tools. If there are any issues, you will see the notification.
December 1, 2017. DigiCert will start issuing Symantec certificates on the new infrastructure. Symantec lost trust does not affect SSLs issued after December 1, 2017.
March 15, 2018. Chrome 66 beta version comes out. It will revoke trust in all Symantec, GeoTrust, Thawte and RapidSSL certificates issued before June 1, 2016. It means that starting from Chrome 66 beta version users will see notification saying that your website is insecure.
September 13, 2018. Chrome 70 beta version is out. All certificates issued before December 1, 2017 will become untrustworthy.
What should Symantec certificate owners do?
If your certificate can become untrustworthy, you need to reissue it. We recommend to do it with the plan. This way you will avoid problems with website visitors and save a lot of time and efforts.
If your SSL certificate has been issued BEFORE June 1, 2016 and it ends AFTER March 14, 2018.
You need to reissue your certificate before March 15, 2018. It is when Google Chrome 66 beta comes out and its users will be able to see that your website is not secure. We recommend to reissue such certificates after December 1, 2017, or even better - in January 2018. In this case, the certificates will be reissued by DigiCert on the new infrastructure, so they will have no problems. Please note! If you reissue your certificate before December 1, you will have to reissue it again later but before September 13, 2018, when all certificates issued before December 1, 2017 will become untrustworthy.
If your SSL certificate has been issued between June 1, 2016 and December 1, 2017, and it ends AFTER September 13, 2017.
You need to reissue your certificate before September 13, 2018. It is when Google Chrome 70 beta comes out and its users will be able to see that your website is not secure. We recommend to reissue such certificates after December 1, 2017. If possible, then do it in July 2018. In this case, the certificates will be reissued by DigiCert on the new infrastructure, so they will have no problems.
If your certificate ends BEFORE December 1, 2017.
If you need a certificate for the next period, you can extend the Symantec, GeoTrust, Thawte or RapidSSL certificate for up to December 1, 2017. Please note that in this case you will have to reissue it before September 13, 2018. You can also purchase a certificate of any other brand.
If you buy a new certificate AFTER December 1, 2017.
According to DigiCert, such certificates will not have to be reissued. However, we’d recommend you to follow all news on this topic in case the launch of the new infrastructure is postponed. We will keep all SSL certificate owners posted on all changes.
How will certificates be reissued?
Certificate reissue is free of any charge. Simply go to your account area at eu.ispsystem.com, choose the desired certificate, and click on Reissue. Fill in all the fields and confirm. The following process will be identical to the purchasing process: You confirm your domain rights and go through checking from the certification center (depends on the certificate type). Please note that the certificate end date will not change after the reissue which is done only for the period left.
|
We hope that this article helped you figure out the further plan. If you have any questions, please let us know in your account area or in online chat. We will also send you an email with information about further actions with your certificate. |