Google continues to use the sizeable market share of its Chrome browser to effect change in the realm of website security. Recently, we wrote about Google’s plans to have Chrome begin to display the message “Not secure” in more areas of a website when the site is not loaded over HTTPS (see our previous post, Will Your Website’s Forms Soon Display A “Not Secure” Message?). These planned changes have left website owners scrambling to secure their websites with SSL certificates in order to avoid their customers seeing this message.

As if this hasn’t shaken things up enough, Google now has a three-phase plan to completely distrust all Symantec SSL certificates permanently in Google Chrome. Once the three phases have been implemented, anyone who tries to load a website that uses a Symantec SSL certificate will be presented with an error message warning them that the site is not safe (the exact error message will vary depending on the browser being used). This means that the person trying to view the website will not even see the website, but just the error message instead. Although it is possible in such a scenario to continue to the site anyway, most people will not continue to the site because the error message is enough to scare them off. This spells disaster for any business website that suffers from this issue.

What are the Three Phases and What is the Timeline?

The first phase will begin in December 2017. Symantec will continue to act as a CA (certificate authority), but it will begin to “outsource” the issuance of certificates to another trusted CA. In essence, the part of the business in which they issue the certificates will be taken over by another company.

The second phase will begin with Chrome version 66, which is estimated to be released in April 2018. With this version, Chrome will no longer trust Symantec certificates that were issued before June 1, 2016.

The third and final phase will begin with Chrome 70, which is estimated to be released in October 2018. With this version, Chrome will no longer trust Symantec certificates that were issued before Symantec handed off the part of its business that handles issuing the certificates (i.e. all certificates that were issued before phase one began).

Why is Google Doing This?

In March 2017, Google and Mozilla engineers discovered that Symantec had incorrectly issued over 100 SSL certificates, meaning they had issued these certificates to websites when they shouldn’t have. The investigation was subsequently deepened, and the number of incorrectly issued certificates turned out to be closer to over 30,000 certificates! This news is very disturbing, especially given the fact that Symantec is one of the largest CAs on the market. Symantec is what is referred to as a “trusted CA,” meaning all of the major web browsers – Chrome, Edge, Internet Explorer, Firefox, etc. – trust that any website that uses a Symantec SSL certificate is in fact the website that it claims to be. This trust is important because it prevents, for example, a website such as “apple1[dot]com” from posing as the legitimate “apple[dot]com” site, which could trick visitors into thinking they are on a legitimate site that actually is malicious. Because Symantec incorrectly issued so many certificates, however, the aforementioned scenario could quite possibly be a reality for many sites.

There is a popular phrase regarding trust. Although there are several variants, it goes something like this: “Trust is hard to earn, easy to lose, and, once lost, nearly impossible to regain.” Although surely not intentional, Symantec’s accidental issuance of over 30,000 SSL certificates is simply unacceptable. Trust has been broken, and in the eyes of Google at least, it cannot be regained. This is why Chrome will ultimately revoke trust of all Symantec certificates. You can view the entire article by clicking here.

How Wide Ranging Will This Impact Be? Will My Website Be Impacted?

Not only will Chrome distrust certificates that were issued by Symantec itself, but it also will distrust certificates that were issued by other CAs that Symantec owns, including Thawte, GeoTrust, and RapidSSL. At ExcalTech, we have often used GeoTrust and RapidSSL certificates for our clients’ sites and our own because they offer some of the most competitive prices on the market. However, with such certificates set to ultimately no longer be trusted, we will have no choice but to use other CAs for our websites and our clients’ websites going forward. Unfortunately, with this change will come increased prices for most SSL certificates.

Do you have questions or want help determining if your website will be impacted by this upcoming change to Google Chrome? Call the experts at ExcalTech today at (877) 638-5464.

Scroll to Top