One million certificates is a big number. Sure, it’s only a fraction of the certificates issued by, say, Let’s Encrypt. But when you imagine one million websites going down, the number begins to seem quite staggering. On Wednesday, Comodo announced that it found “more than one million website certificates worldwide that may be distrusted and will therefore have to be replaced to avoid disruption to the website.”
As part of Google Chrome’s phased plan to distrust certificates that chain up to a Symantec root, all remaining Symantec certificates will become invalid with the release of Chrome 70, expected in the week of 23 October 2018. As Comodo warns, “Failure to replace these certificates will result in site breakage in upcoming versions of major browsers, including Google Chrome and Mozilla Firefox.”
“Google and the PKI community last year developed a plan to reduce and ultimately remove trust in certificates issued by Symantec and now owned by DigiCert and as of July 20, 2018, end users will see certificate error messages on websites that have not replaced these certificates. By October 23, 2018, certificates issued by Symantec and now owned by DigiCert before December 01, 2017 will be distrusted and no longer considered valid.”
Phase 1 of the Symantec certificate distrust was completed on April 17, 2018 when Symantec certificates issued prior to June 1, 2016 stopped working with the release of Chrome 66 (stable). This first distrust seemed to be a relative non-event and resulted in very little of the brouhaha that some had predicted. In March, Digicert reported that less than one percent of the phase one certificates remained before the April 17 deadline. But with so many outstanding certificates remaining, organizations may be hard pressed to find and replace them all by the next deadline.
The challenge is that it’s not always that easy for organizations to locate where Symantec certificates have been installed. So they will have a hard time determining whether all impacted certificates have been replaced. In a blog post by Sandra Chrust, Senior Product Manager at Venafi, she expounds on that challenge. ”Organizations wishing to meet Chrome's demands must have the ability to find every installation of all certificates that chain up to Symantec. That means they will need to locate certificates from potentially dozens of CAs from which they've purchased a digital certificate.”
But the work doesn’t stop there. Even after organizations have invested significant time and resources necessary to complete the remediation of all Symantec certificates, they may just have to turn around and do it all again. Over the past few years, we have seen a number of CA errors that required immediate action. And there’s no predicting when one may happen next. But most experts are expecting it at any time.
According to a Venafi study, IT security professionals are troubled by future CA incidents, but very few have the tools needed to switch CAs quickly. For example, 81% of respondents are concerned about future incidents involving CAs. However, if they were affected by a major event like a CA security breach, only 23% said they are completely confident in their ability to quickly find and replace all their impacted certificates.
Is your organization prepared for the next major certificate security event?