Comodo CA has released findings from research performed to determine the scope and potential consequences of the upcoming Google Chrome distrust of all former Symantec SSL certificates issued prior to December 1, 2017. In our research, Comodo CA discovered more than one million certificates on the former Symantec roots that remain to be replaced in anticipation of Google’s announced October deadline.
As a bit of background, last year, Google, its Chrome team and the PKI community developed a plan to phase out trust in certificates issued by Symantec Corp. (which are now owned by DigiCert). Chrome release 66 and later (which went GA April 18, 2018) already has deprecated its trust for all Symantec, GeoTrust, Thawte and RapidSSL certificates issued prior to June 1, 2016. All certificates on these roots from that time period receive a “Not secure” indicator in Chrome 66 or later.
According to Google, Chrome release 70 (scheduled for beta release September 13, 2018 and GA release October 23, 2018) will extend this trust deprecation to all certificates from these four brands, regardless of issuance date. More details can be found here in Google Security Blog.
The presence of the Not secure label is problematic for businesses because it eliminates a very important differentiator between their genuine business sites and potential phishers who now can create perfect imitations of their sites to steal personally identifiable information (PII), credit card numbers, logins and other confidential data from site visitors. Perhaps for this very reason, the presence of the Not secure indicator is a strong deterrent to visitors considering doing business on the site, and that can lead to loss of online sales and drops in other key performance metrics for the sites.
Methodology and Remediating Action
Using a two-step process, which included scanning results from a publicly-available, Comodo CA-owned certification transparency log monitor and search tool (crt.sh) and further verification via manual reviews of websites believed to be at risk of decertification, Comodo CA found that as of May 4, more than one million websites are still using certificates scheduled to lose trust from Chrome this year.
Online businesses should take these steps to avoid potential negative consequences from the upcoming trust deprecation on Chrome:
The large number of certificates yet to be replaced suggests that many online businesses suffer from ignorance of this upcoming issue and what they can (and must) do to prevent trust problems for their sites. Comodo CA will continue to promote awareness of this upcoming deadline in order to help preserve a trustworthy and productive online business environment.