Mozilla warns it plans to distrust all Symantec-chained certs in October

If you are among the 3 percent still with a Symantec certificate, you really need to shift -- that means you, PayPal.
Written by Chris Duckett, Contributor
(Image: Liamosaur)

By October, Symantec-chained TLS certificates will be rejected by both Firefox and Chrome as the pair of web browsers continue down the path of distrusting Symantec certificates first laid out last year.

Mozilla said in a blog post that when it distrusts Symantec in Firefox 63, slated for release on October 23, the switch will affect 3.5 percent of the top 1 million sites.

Chrome is set to do the same with Chrome 70, set for release around October 16.

Among the sites impacted if the change were to happen now is PayPal, as pointed out by security consultant Liam O, which currently serves up a Symantec certificate that expires on October 31, 2019.

However, Mozilla said that in the move to distrusting Symantec certificates issued before June 2016 in Firefox 60, it saw the number of sites affected collapse from 1 percent in early March to less than 0.15 percent on May 9.

The browser maker also said the number of sites using Symantec-chained certificates has fallen by 20 percent in the past two months.

"As the Firefox 63 release approaches, we expect the same rapid pace of improvement that we observed with the Firefox 60 release," Mozilla said.

"We strongly encourage website operators to replace any remaining Symantec TLS certificates immediately to avoid impacting their users as these certificates become distrusted in Firefox Nightly and Beta over the next few months."

In April, Chrome 66 removed trust for Symantec certificates issued before June 2016.

Google put forward its plan to begin distrusting Symantec-issued TLS certificates in July 2017.

That same month, security researcher Hanno Böck tricked Symantec into incorrectly revoking certificates based on forged private keys.

"Symantec did a major blunder by revoking a certificate based on completely forged evidence," he said. "There's hardly any excuse for this, and it indicates that they operate a certificate authority without a proper understanding of the cryptographic background."

Weeks later, Symantec's website security business was sold to DigiCert for $950 million in cash upfront, and a 30 percent stake in DigiCert.

Related Coverage

Symantec moves to allay concerns about accounting investigation, future outlook

Symantec kicked off its week with an analyst conference call outlining its view for the fiscal years ahead and how its enterprise business is shifting.

Symantec may violate Linux GPL in Norton Core Router

A top Linux security programmer, Matthew Garrett, has discovered Linux in Symantec's Norton Core Router. It appears Symantec has violated the GPL by not releasing its router's source code.

Symantec says biometrics isn't the answer for protecting against financial fraud

With Australians to soon transfer money in near real-time, banks will need to up their fraud detection capabilities, but Symantec's local CTO has said biometrics isn't the way to do that.

Here's how to disable outdated TLS and SSL versions in Apache (and why you should) (TechRepublic)

Older TLS and SSL protocols can pose a security risk and will no longer be supported as of June 30.

Snooping on HTTPS is about to get harder: TLS 1.3 internet encryption wins approval

The latest version of the protocol for HTTPS secure connections gets green light from the IETF.

Editorial standards