Google's Distrust of Symantec Certificates | (un)Common Logic

Cybersecurity issues are in a constant state of mutation and evolution, both from attackers and from the organizations who defend against them. One fairly recent development affects Symantec, a company that has issued an estimated one-third of the SSL/TLS certificates on the web. (If you’ve ever trusted a site because it has a “Norton Secured” seal, that’s Symantec’s main brand.)

SSL (Secure Sockets Layer)/TLS (Transport Layer Security) certificates indicate that a website has met data encryption and authentication standards to be considered “secure.” These certificates provide the “S” in HTTPS, which is now required for sites where users add any kind of text input, including email addresses and comments. However, certificates issued to unauthorized parties can allow those parties to impersonate HTTPS-protected pages and sites.

In September 2017, Google announced its “plan to distrust” SSL/TLS certificates issued by Symantec and its affiliated brands, including Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL. Between now and mid-September 2018, websites with SSL/TLS certificates from Symantec will need to have those certificates replaced to retain Google’s “secure” status.

Why are these certificates no longer considered secure?

In January 2017, Andrew Ayer, founder of SSLMate and certificate security expert, reported that Symantec and two of its brands (GeoTrust and Thawte) had improperly issued a total of 108 SSL/TLS certificates on three separate days in 2016. The certificates were issued to domains like “test5.com” and “example.com,” almost all of which were registered to different owners.

Ayer contacted the domain owners to determine what kind of validation had been performed. He found that 99 of the certificates were issued without proper validation of domain ownership, and 9 were issued without the permission or even knowledge of the domain owners! (His reporting of the errors ended with “I doubt there is an organization named ‘test’ located in ‘test, Korea.’ ”)

While 108 certificates might not sound like much compared to the millions of SSL/TLS certificates issued globally, these 108 confirmed errors indicated that Symantec and its brands had procedural gaps in validation that violated industry guidelines. Symantec later admitted to 127 certificates issued in error, while Google estimated that the number could go as high as 30,000 or more.

It was not Symantec’s first violation of industry standards; in 2015, Thawte, a Symantec brand, issued Extended Validation (EV) pre-certificates for sites that hadn’t been requested or authorized by the domain owner… including google.com and www.google.com. Symantec stated that the certificates were issued during an in-house test… but eventually admitted to issuing 187 test certificates for domains they didn’t own, and 2,458 certificates for domains that hadn’t been registered.

Symantec isn’t the only CA that’s faced sanctions from Google and Mozilla; last year, both browsers distrusted SSL/TLS certificates issued by Chinese CA WoSign and its subsidiary StartCom.

Deadlines for replacing certificates

Google’s timeline for handling Symantec certificates is based on their anticipated release dates for Chrome 66 Beta and Chrome 70 Beta. (As with all such schedules, dates are subject to change depending on the actual date of release.)

• By March 15, sites with Symantec SSL/TLS certificates issued before June 6, 2016, should replace them all with certificates from a trusted provider. A September 2017 post on the Moz blog recommends DigiCert and Comodo. Note: if the certificate(s) expire before March 15, no action is required, as the certificate(s) will need to be reissued anyway.
• By Sept. 13, all Symantec SSL/TLS certificates issued before Dec. 1, 2017, using Symantec’s “old infrastructure,” will need to be replaced.

While Mozilla, makers of the Firefox browser, have not yet made any official announcements regarding Symantec-issued certificates, their security-development Wiki shows a graduated distrust plan similar to Google’s. These dates correspond to the releases of Firefox 60 and 63, and are also subject to change.

• Starting May 8, Firefox will designate a site as “untrusted” if it has a Symantec certificate issued before June 1, 2016
• Starting Oct. 23, Firefox will designate a site as “untrusted” if it has a Symantec certificate issued through the “old infrastructure”

The “old infrastructure” mentioned in both plans refers to Symantec’s certificate authority (CA) branch. The company sold this part of their business to DigiCert in late October, and as of Dec. 1, DigiCert began issuing all certificates for Symantec customers. DigiCert is considered a trusted CA by both Google and Mozilla, so Symantec certificates issued after Dec. 1 are actually DigiCert certificates and thus okay.

How to protect your site

• Have your SEO and/or web dev team check which CA provided your certification, whether it was done through a hosting provider or a separate certificate provider
• If your site has a Symantec certificate, especially if it was issued before June 6, 2016, begin the process of having it reissued by DigiCert or replaced by another, trusted CA. Be sure to keep your CIO and CSO (Chief Security Officer) in the loop on this.
• Remove any “trustmarks” from Symantec companies from your site. They’re most likely to be on ecommerce pages, checkout pages, and the footer of your website.
• Also have your SEO/web team check your site for third-party tools that have Symantec certification. Many marketing automation, content distribution, and analytics or tracking tools make “calls” to the tool-providers’ websites. If those sites have any Symantec certifications, Chrome and Mozilla will refuse to fetch resources from them.
• If you find any Symantec certificates in your third-party tools, contact those companies to ensure that they’re rectifying the situation and will be within compliance by mid-March or mid-September, as applicable. Even if compliance isn’t required until September, the sooner a provider corrects the problem, the better a partner they are to your business.

We urge you to make sure every aspect of your site is within compliance as soon as possible, as failing to meet these guidelines could undo much of the work your digital marketing team has done. If your site doesn’t meet all the HTTPS requirements, your organic rankings could be damaged, and it could negatively affect paid search ad approvals on Google AdWords.