The next version of Google's Chrome browser, scheduled for release next week, will remove trust for some security certificates issued by Symantec. This has been part of Google 's plans since last year when it was discovered that Symantec's infrastructure for issuing security certificates wasn't compliant with industry standards. It was also known that Symantec gave many organizations the ability to issue certificates despite being aware of security issues within said organizations.
As part of these plans, Google already dropped support for Symantec certificates issued prior to June 1, 2016, with the release of Chrome 66. Now, with Chrome 70, any security certificates issued by the agency's brands - which include VeriSign, Thawte, Equifax, and more - based on the old infrastructure, regardless of date, will no longer work in the browser.
Researcher Scott Helme recently ran a test to see just how many websites weren't compliant with the new rules and found that many popular websites still weren't ready. To do so, he scanned Alexa's list of the most popular million websites out there. Affected agencies include the Federal Bank of India, Penn State Federal, and others. As noted by TechCrunch, some websites which were found to be non-compliant at the time have since addressed that issue, including the likes of Ferrari.
On the other hand, Helme's list doesn't cover sub-domains in the websites scanned, so it's possible that only certain parts of those pages will break. A comment on his article pointed out that Lenovo's support page wasn't ready for the transition, but you'll now find that it's switched to a certificate issued by DigiCert, with a relevant message warning visitors about the change.
Chrome is the most popular web browser on the market, and the fact that it's dropping support for these certificates has naturally prompted companies to make the switch more quickly. It's possible that most users won't feel the effect of the transition, but if you do run into issues, this might be the reason why.
Source: Google Security Blog via Scott Helme, TechCrunch
8 Comments - Add comment