Symantec Certificate Distrust Timeline: Are You Prepared?

It appears the dust has begun to settle between Google and Symantec.

Roughly six months ago, researchers affiliated with Chrome claimed that the Symantec certificate authority (CA) mis-issued thousands of transport layer security (TLS) certificates. As a result, Chrome would no longer trust Symantec’s certificates.

The web and security juggernauts spent months discussing and debating Google’s report and distrust schedule. My colleague Paul Turner wrote an informative blog series on Google’s decision and its impact on the industry, be sure to check them out for more information on how this situation has evolved.

Now, Chrome researchers Devon O’Brien, Ryan Sleevi and Andrew Whalley formally announced the browser’s plan to distrust Symantec’s certificates.

Back in March, Kevin Bocek, chief security strategist for Venafi, shared his thoughts on the Google vs. Symantec debate. He believes that ultimately, this incident is not a unique occurrence and we should expect similar events in the future.

“This is a giant wake-up call for every business,” wrote Kevin. “Most organizations don’t have the agility required to move, add or change certificates, keys or CAs in response to external issues like this one. The best possible outcome is that businesses will realize they are going to have to figure out how to deal with not just this issue, but other issues like it. The only other alternative is to be victimized by these events.”

Google’s final distrust timeline is below. Be sure to give it a careful review so that your organization will be prepared for any potential impact before the deadline passes.

• Now through ~March 15, 2018
  Site Operators using Symantec-issued TLS server certificates issued before June 1, 2016 should replace these certificates. These certificates can be replaced by any currently trusted CA.
   
• ~October 24, 2017
  Chrome 62 released to Stable, which will add alerting in DevTools when evaluating certificates that will be affected by the Chrome 66 distrust.
   
• December 1, 2017
  According to Symantec, DigiCert’s new “Managed Partner Infrastructure” will at this point be capable of full issuance. Any certificates issued by Symantec’s old infrastructure after this point will cease working in a future Chrome update.
  
  From this date forward, Site Operators can obtain TLS server certificates from the new Managed Partner Infrastructure that will continue to be trusted after Chrome 70 (~October 23, 2018).
  
  December 1, 2017 does not mandate any certificate changes, but represents an opportunity for site operators to obtain TLS server certificates that will not be affected by Chrome 70’s distrust of the old infrastructure.
   
• ~March 15, 2018
  Chrome 66 released to beta, which will remove trust in Symantec-issued certificates with a not-before date prior to June 1, 2016. As of this date Site Operators must be using either a Symantec-issued TLS server certificate issued on or after June 1, 2016 or a currently valid certificate issued from any other trusted CA as of Chrome 66.
  
  Site Operators that obtained a certificate from Symantec’s old infrastructure after June 1, 2016 are unaffected by Chrome 66 but will need to obtain a new certificate by the Chrome 70 dates described below.
   
• ~April 17, 2018
  Chrome 66 released to Stable.
   
• ~September 13, 2018
  Chrome 70 released to Beta, which will remove trust in the old Symantec-rooted Infrastructure. This will not affect any certificate chaining to the new Managed Partner Infrastructure, which Symantec has said will be operational by December 1, 2017.
  
  Only TLS server certificates issued by Symantec’s old infrastructure will be affected by this distrust regardless of issuance date.
   
• ~October 23, 2018
  Chrome 70 released to Stable.
   

Does your organization have the agility to meet Chrome’s demands?