Beware the looming Google Chrome HTTPS certificate apocalypse!
Well, melee. Dust-up? Minor inconvenience? But it’s coming!!
Tens of thousands of websites are going to find themselves labeled as unsafe unless they switch out their HTTPS certificate in the next two months.
Thanks to a decision in September by Google to stop trusting Symantec-issued SSL/TLS certs, from mid-April Chrome browser users visiting websites using a certificate from the security biz issued before June 1, 2016 or after December 1, 2017 will be warned that their connection is not private and someone may be trying to steal their information. They will have to click past the warning to get to the website.
This will also affect certs that use Symantec as their root of trust even if they were issued by an intermediate organization. For example, certificates handed out by Thawte, GeoTrust, and RapidSSL that rely on Symantec will be hit by Google’s crackdown. If in doubt, check your cert’s root certificate authority to see if it’s Symantec or not.
The change will come in build 66 of Chrome – due for public release on April 17 – and the problem will get even bigger on October 23 when build 70 is released and all Symantec certificates will be listed as not being trustworthy.
Of course, not everyone uses Chrome and not everyone will instantly upgrade to the latest version, but it’s safe to say that it will become a very big headache very quickly for those sites that haven’t obtained new HTTPS certs from other authorities.
The question is: how big a headache? Early beta testers of the Chrome build have been warning that they keep coming across websites with untrusted certificates and seeing the danger message. Fortunately, one person has gone to the trouble of running a script to figure quite how ugly it’s going to get.
Security engineer Arkadiy Tetelman, who works at Airbnb according to his blog, decided to run a test in which he grabbed the certificate information from the one million biggest websites on the internet, in terms of traffic as rated by Alexa, and tested to see if they would break.
The script took 11 hours to run and turned up some very interesting results: of the one million websites, just 11,510 are going to go TITSUP in April, with 91,627 on the chopping block in October.
When businesses collide
It’s still a large number and there are some big names there – car company Tesla.com, water filter company Brita.com, Australia’s energy regulator at aer.gov.au, and, well, 11,507 others. It’s not Y2K – these outfits can buy certs from other authorities or get free ones – but it’s safe to say that there are going to be a lot of unhappy people come April if action isn’t taken. And then even more unhappy people a few months later.
Fortunately, Mr Tetelman has uploaded a plain text list, so if you are a sysadmin or webmaster, we would strongly recommend doing a search to make sure you’re not on it. Or, of course, be even smarter and move all your sites away from Symantec certificates.
The issue doesn’t raise the slightly troubling fact that Google has basically put an entire company’s certificate-issuing operation out of business by declaring that it would no longer accept Symantec certificates. That’s a scary amount of power to have.
But on the other hand, it wouldn’t be doing it if Symantec hadn’t repeatedly screwed up and undermined trust in its own product by wrongly issuing SSL/TLS certs, including, unfortunately, the one for google.com. Not a smart move.
If you are an organization that exists purely to ensure that people can trust you, then you should expect some fallout if it turns out you can’t be trusted. Symantec wasn’t very happy, of course, and used a whole range of angry words in a blog post about it: words like irresponsible, exaggerated, and misleading.
It claims only 127 certificates were wrongly issued, not the 30,000 previously claimed. But here we are. A few months after its blog post and with Google refusing to budge, Symantec threw in the towel and sold off its certificate business to DigiCert.
Don’t say you haven’t been warned.
Read the original article over at The Register.