Warning: Google will soon distrust Symantec SSL certificates

Google really wants to make sure that users keep trusting secure HTTPS sites. Since Google believes that Symantec was not strict enough when issuing SSL certificates, the world’s most popular search engine has now decided to take drastic sanctions. Over time, the Chrome browser will no longer support certificates issued by Symantec. But what does this mean in practical terms?

What is the role of an SSL certificate?

SSL certificaat groen balkje httpsIn order to be able to establish a secure connection with a website, this website must use an SSL certificate. In addition to the free Let's Encrypt certificate, which is included for free with each Combell hosting package, you can also choose a paying certificate, which provides better guarantees and is issued by Certificate Authorities such as Symantec, Comodo, Verisign, etc. (Please also read: Should you go for a free Let’s Encrypt certificate or a premium SSL certificate?)

Why is Google questioning Symantec SSL certificates?

Symantec SSL certificatenThe certificate issuing and management procedure is governed by rules, which are set by the CA/Browser Forum. As its name suggests, the members of this forum can be either browser vendors or certificate authorities. And when they violate these rules, browser and OS vendors may decide to distrust the certificates concerned.

And that is exactly what happened: Google has accused Symantec of not having observed the customary security policies. As a result, certificates have been improperly issued, causing multiple incidents. This is why Google decided to distrust SSL certificates issued by Symantec directly or one of its resellers (GeoTrust, Thawte, RapidSSL).

Geotrust Thawte RapidSSL merken SSL Symantec

Which sanctions will Google take against SSL certificates issued by Symantec?

Future versions of the Chrome browser will distrust Symantec certificates, a process that will take place in two phases:

With version 66 of Chrome, which is due for release in mid-April 2018, Symantec certificates older than 6/1/2016 will no longer be trusted.

Eventually, Chrome 70 (October 2018) will revoke trust in all certificates issued by Symantec (or its resellers).

In more concrete terms, this means that end users who will use Chrome to visit a website after the date indicated above will not be able to establish an HTTPS connection with this website if the certificate was issued by Symantec (or its resellers). Users will receive a warning, which will severely undermine their confidence in this site!

Firefox may also announce similar sanctions, although specific details are still unknown.

What should owners of Symantec SSL certificates do?

This sanction imposed by Google will have a major impact on the Internet. According to a study conducted by Netcraft in 2015, Symantec would be responsible for about a third of the web’s SSL certificates.

Those who use an SSL certificate issued by Symantec or any of its resellers should replace it within the terms mentioned above. For this, they should contact the company from which they purchased the certificate.

Tip: Once version 62 of Chrome will be released (24 October 2017), you should visit your websites using the Chrome browser, leaving the Developer Tools panel open. This way, you will be able to see which websites will become untrusted in Chrome 66.

What does this means for Combell customers who use an SSL certificate?

There will be no big changes for Combell customers. 98% of them installed a certificate issued by Comodo, a Certificate Authority that Combell recommended in most cases. The few customers affected by this sanction will be contacted personally by Combell’s helpdesk in order to find the best solution to the problem.