Skip to main content
banner image
venafi logo

Over One Million Symantec Certificates Still Haven’t Been Replaced

Over One Million Symantec Certificates Still Haven’t Been Replaced

Symantec distrust
May 18, 2018 | Scott Carter

One million certificates is a big number. Sure, it’s only a fraction of the certificates issued by, say, Let’s Encrypt. But when you imagine one million websites going down, the number begins to seem quite staggering. On Wednesday, Comodo announced that it found “more than one million website certificates worldwide that may be distrusted and will therefore have to be replaced to avoid disruption to the website.”

As part of Google Chrome’s phased plan to distrust certificates that chain up to a Symantec root, all remaining Symantec certificates will become invalid with the release of Chrome 70, expected in the week of 23 October 2018. As Comodo warns, “Failure to replace these certificates will result in site breakage in upcoming versions of major browsers, including Google Chrome and Mozilla Firefox.”

“Google and the PKI community last year developed a plan to reduce and ultimately remove trust in certificates issued by Symantec and now owned by DigiCert and as of July 20, 2018, end users will see certificate error messages on websites that have not replaced these certificates. By October 23, 2018, certificates issued by Symantec and now owned by DigiCert before December 01, 2017 will be distrusted and no longer considered valid.”

Phase 1 of the Symantec certificate distrust was completed on April 17, 2018 when Symantec certificates issued prior to June 1, 2016 stopped working with the release of Chrome 66 (stable). This first distrust seemed to be a relative non-event and resulted in very little of the brouhaha that some had predicted. In March, Digicert reported that less than one percent of the phase one certificates remained before the April 17 deadline. But with so many outstanding certificates remaining, organizations may be hard pressed to find and replace them all by the next deadline.

The challenge is that it’s not always that easy for organizations to locate where Symantec certificates have been installed. So they will have a hard time determining whether all impacted certificates have been replaced. In a blog post by Sandra Chrust, Senior Product Manager at Venafi, she expounds on that challenge. ”Organizations wishing to meet Chrome's demands must have the ability to find every installation of all certificates that chain up to Symantec. That means they will need to locate certificates from potentially dozens of CAs from which they've purchased a digital certificate.”

But the work doesn’t stop there. Even after organizations have invested significant time and resources necessary to complete the remediation of all Symantec certificates, they may just have to turn around and do it all again. Over the past few years, we have seen a number of CA errors that required immediate action. And there’s no predicting when one may happen next. But most experts are expecting it at any time.

According to a Venafi study, IT security professionals are troubled by future CA incidents, but very few have the tools needed to switch CAs quickly. For example, 81% of respondents are concerned about future incidents involving CAs. However, if they were affected by a major event like a CA security breach, only 23% said they are completely confident in their ability to quickly find and replace all their impacted certificates.

Is your organization prepared for the next major certificate security event?

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Machine Identity Protection for Dummies

Machine Identity Protection for Dummies

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more