Product-wide ban on Symantec certificates halted after major websites fail to act

Top websites continue to validate their domain with certificates issued by Symantec, despite an industry-wide consensus to eradicate the signatures from browsers later this month.

In a renewed call for website operators to replace SSL/TLS certificates provided by the now-defunct Certificate Authority, Mozilla has announced plans to delay the removal of all Symantec roots from its services – something that would break any website still using the distrusted digital IDs.

Mozilla disabled all such certificates in the Firefox Nightly version of its browser on August 13, but the slow uptake in replacing certificates has halted its plans to implement the policy throughout all products.

“Unfortunately, because so many sites have not yet taken action, moving this change from Firefox 63 Nightly into Beta would impact a significant number of our users,” said Wayne Thayer, certificate authority program manager at Mozilla, adding that more than 1% of the top-million websites were still using Symantec to validate their domains.

“It is unfortunate that so many website operators have waited to update their certificates, especially given that DigiCert is providing replacements for free.”

DigiCert, which is indeed issuing replacements without charge, acquired the Symantec Certification Authority in October of last year, following a $950 million deal partly agreed upon due to the increased scrutiny that had befallen on the SSL/TLS business.

A Google investigation in March 2017, for example, claimed that Symantec was improperly issuing certificates to either domains that were never registered, or without the domain owner’s knowledge.

While Symantec denied the allegations, this followed previous concerns made by Google in 2015 during which the company was once again accused of failing to take its role as a Certification Authority seriously.

Google later demanded that all certificates issued by Symantec as of June 2016 support Certificate Transparency (CT) – a proactive framework to monitor and audit SSL certificates in order to prevent malicious use. Chrome now only trusts certificates that are CT qualified.

With little improvement made on Symantec’s end, multiple browsers, including Chrome and Firefox, agreed on a plan to slowly remove Symantec certificates from trusted infrastructure, with DigiCert replacing all certificates affected.

But the implementation of this plan has fallen short due to the thousands of website operators who have yet to update.

“We prioritize the safety of our users and recognize the additional risk caused by a delay in the implementation of the distrust plan,” said Thayer.

“However, given the current situation, we believe that delaying the release of this change until later this year when more sites have replaced their Symantec TLS certificates is in the overall best interest of our users.”

Thayer said that Firefox Nightly will still disable all Symantec certificates, and will plan to do so in Firefox 64 Beta, set to be released this month.

It is not known whether other browsers have gone forward with distrusting Symantec certificates, although it is believed that Google Chrome 70, the latest version of the browser set to be released this month, will no longer support any certificates issued by Symantec.

The Daily Swig has reached out to Chrome for comment.