Threat Watch

Symantec Certs to be Rejected by Chrome and Mozilla in October

In October of this year, both Mozilla Firefox and Chrome will reject Symantec-chained TLS certificates. The change by Firefox will affect about 3.5% of the top one million websites. The biggest website that could be affected is PayPal, which is currently using a Symantec certificate set to expire in October of 2019. Mozilla says that in their move to distrust Symantec certificates, the number of sites using Symantec has fallen 20% during the last two months. “We strongly encourage website operators to replace any remaining Symantec TLS certificates immediately to avoid impacting their users as these certificates become distrusted in Firefox Nightly and Beta over the next few months,” Mozilla said. In April, Chrome 66 removed the trust for Symantec certificates that had been issued prior to June 2016 and announced their plan to “distrust” Symantec’s TLS certificated in July. Also in July, a security researcher tricked Symantec into revoking certificates using forged private keys. “Symantec did a major blunder by revoking a certificate based on completely forged evidence. There’s hardly any excuse for this, and it indicates that they operate a certificate authority without a proper understanding of the cryptographic background,” he said. A few weeks later, DigiCert purchased Symantec’s website security business.

ANALYST NOTES