The Google Chrome 66 Beta is set to release March 15, 2018
While the conflict between Google and Symantec was more or less solved last Summer, the fallout from those decisions is about to be felt.
While DigiCert and Symantec have been hurrying to get customers migrated to the DigiCert PKI, the deadline for when Google Chrome (as well as Mozilla Firefox and other browsers) distrust existing Symantec SSL certificates has loomed. Consider Thursday the final precursor to that deadline, as any Symantec SSL certificate issued before June 1, 2016 will break for Chrome Beta users.
Chrome 66 has already been released to the Canary and Dev channels, meaning affected sites are already impacting users of these Chrome channels. If affected sites do not replace their certificates by March 15, 2018, Chrome Beta users will begin experiencing the failures as well. You are strongly encouraged to replace your certificate as soon as possible if your site is currently showing an error in Chrome Canary.
This includes all Symantec CA brands (including Symantec, GeoTrust, Thawte and RapidSSL). Google Chrome 66 is set for Stable release on April 17, 2018.
How did we get here?
The SSLstore covered the Symantec/Google situation extensively, but if you’re looking for a quick refresher, here goes… This really started as far back as 2015 when Google contacted Symantec about some issues it had discovered regarding Symantec’s issuance of SSL certificates. It came to a head in 2016, though, when Google discovered a batch of test certificates that Symantec had issued in clear violation of the baseline requirements established by the CA/B Forum.
Google argued that in light of the mis-issued test certificates, and Symantec’s 2015 issues, that the entire Symantec PKI needed to be distrusted.
Frankly, and despite what any involved might tell you, there were a lot of politics swirling around this. And everything, from legitimate concerns like Symantec’s history of issuance-related hiccups, to trivial things like the lackadaisical initial response from the CA, seemed to factor in to some degree.
Proponents of the decision point to the need to send a message to other CAs as well as the mistakes Symantec made both in issuing the certificates in question, and in its response, as justification. Those opposed point to the fact that no real-world damage occurred, as well as to how disruptive the distrust has been, as reasons that it was overkill.
Regardless, at this point arguments on both side are entirely academic because plans were set in motion and there’s no reversing course now. Symantec sold its Certificate Authority business to DigiCert for $950-million and a 30% stake in ownership last Fall, and since December 1, DigiCert has been re-validating and a re-issuing Symantec certificates.
Where do we go from here?
Well, first things first. Despite DigiCert and Symantec resellers sending literally millions of notification emails and creating entire new channels for existing Symantec customers to re-issue their certificates through, if you haven’t heard the first hard deadline for the distrust comes with the release of Chrome 66.
The Beta version ships on Thursday. The stable version ships a month later on or around April 17. Any Symantec SSL certificate that was issued before June 1, 2016 will be distrusted. In other words, it will break and your website will be issued a security warning.
If this affects you, contact your SSL provider immediately.
Final Distrust is Chrome 70
On or around July 20, Chrome 70 will have its Canary release. At this point ALL Symantec SSL certificates will cease to work entirely for Canary users. That’s the advance browser. Chrome 70 is set for stable release a few months later around October 16. If your SSL certificate has not been issued on or beyond December 1, 2017 from DigiCert’s roots, it will not work starting in Chrome 70. Instead, your website will receive a security warning. To be clear, by the end of October when Chrome 70 is in stable all Symantec CA brand SSL certificates will be distrusted.
This is the final distrust deadline for Symantec SSL certificates, after July 20, the Symantec, GeoTrust, Thawte, RapidSSL and Verisign roots are officially dead.
(Source: The SSLstore)