Two months ago, Comodo CA released findings from research conducted to determine the scope and potential consequences of the upcoming Google Chrome distrust of all former Symantec SSL certificates issued prior to December 1, 2017. At that time, we discovered more than one million certificates on the former Symantec roots that remain to be replaced in anticipation of Google’s announced October deadline.
Unfortunately for website operators globally, a rather large number remain at risk. Additional testing conducted by the Comodo CA research team reveals that there are still over 800,000 certificates that need to be replaced to avoid disruption to their websites. As was the case in May, our team used a two-step process, which included scanning results from publicly-available, Comodo CA-owned certification transparency log monitor and search tool (crt.sh) and further verification via manual reviews of websites believed to be at risk of decertification.
The 800K+ number is troubling for two reasons. First, it obviously is a significant number and while it has been reduced from the one million + revealed in May, it signals that DigiCert (which now owns the former Symantec certificates) has its work cut out for itself and its customers to prevent these sites from suffering loss of confidence and decreased transactions on their sites. The sites with these certificates are feeling their first negative effects as of today. Google has disclosed that the first users will see certificate errors as early as last Friday - July 20 - (from its first Canary release of Chrome 70) with increasing numbers of users affected until by October 16 all Chrome users will see these errors. Failure to replace these certificates will result in browser distrust of sites using these certificates for including Google Chrome, Apple Safari, and Mozilla Firefox.
A distrusted certificate can harm a business in two ways. The display of the Not secure message is expected to hurt user confidence, put a damper on site transactions, and damage brand reputation. Furthermore, distrusted certificates will no longer enable encryption, leaving any shared, sensitive data such as personally identifiable information (PII), credit cards, logins, and personal health information (PHI), exposed to spying and theft.
For those online businesses concerned about the potential negative consequences from the upcoming trust deprecation on Chrome seeking advice on the issue, please read our previous post here.