Symantec distrust to begin in Chrome from April 2018

Google's browser will start the process of removing trust from old Symantec TLS certificates in Chrome 66.
Written by Chris Duckett, Contributor

Google has put forward its final proposal to begin distrusting Symantec-issued TLS certificates, with the work to begin when Chrome 66 removes trust from certificates issued prior to June 1, 2016.

The release date for Chrome 66 is slated to be April 17, 2018, with Symantec certificate owners encouraged by Google to replace those certificates, whether through Symantec or another certificate provider.

In mid-October when Chrome 62 is released, the browser's developer tools will begin warning of certificates encountered that will be impacted by the distrust.

A year later when Chrome 70 is released, it is proposed the browser will distrust any certificate issued by Symantec's old infrastructure, including those sold after June 1, 2016.

"This includes any replacement certificates issued by Symantec prior to the transition to the non-Symantec-operated 'Managed Partner Infrastructure'," Chrome engineering vice president Darin Fisher wrote.

"By these dates, affected site operators will need to have fully replaced any TLS server certificates issued from Symantec's old infrastructure, using any trusted CA including the new Managed Partner Infrastructure. Failure to migrate a site to one of these two options will result in breakage when Chrome 70 is released."

According to Fisher, Symantec has said its new Managed Partner Infrastructure will be ready by December 1.

Google first announced its intention to begin distrusting Symantec in March, with the original plan to see the validity window Symantec certificates were valid for reduced to nine months over a series of releases.

Fisher said although the timeline has slipped, it is an appropriate balance between the risk to users, and minimising disruption.

"This time will allow clear messaging and scheduling for site operators to update certificates," he said.

"While we intend to stick with this schedule, if there is new information highlighting additional security risks with this set of certificates, the dates could change to more rapidly distrust the existing certificates."

For its part, Symantec previously called for the date of distrust in its certificates issued before June 2016 to be moved to May 1, 2018.

Last week, security researcher Hanno Böck tricked Symantec into incorrectly revoking certificates based on forged private keys.

According to a blog post written by Böck, he registered a pair of domains, received free TLS certificates from Symantec and Comodo, and created a set of fake private keys uploaded to Pastebin for each domain to send to the appropriate certificate provider, along with a request to revoke the certificate because its private key was publicly viewable.

Böck buried his fake keys among a list of genuine publicly viewable private keys, and found that while Comodo did not revoke its certificate, Symantec informed him that they had revoked the entire list.

"Symantec did a major blunder by revoking a certificate based on completely forged evidence," he said. "There's hardly any excuse for this and it indicates that they operate a certificate authority without a proper understanding of the cryptographic background."

Editorial standards