If your ecommerce site has a Symantec SSL / TLS certificate, you may soon be subject to site breakage in the new version of Chrome. The Google Security team is urging webmasters and site operators to check if their trust certificate originated with Symantec (this includes certificates from other brands which are owned by Symantec including Rapid SSL, Thawte, GeoTrust, Equifax and VeriSign).
Google had previously said that it would begin to distrust Symantec certificates after it emerged that several website security certificates issued by Symantec were questionable – including one to Google itself. Google says that upon investigation, it determined that certificated issued by Symantec’s PKI business did not comply with the required CA/ Browser Forum Baseline Requirements. It was also accused of allowing third parties to issue security certificates without there being an appropriate level of oversight in place.
In a post on the Google Security blog, Devon O’Brien, Ryan Sleevi and Andrew Whalley from Chrome Security said, “This incident, while distinct from a previous incident in 2015, was part of a continuing pattern of issues over the past several years that has caused the Chrome team to lose confidence in the trustworthiness of Symantec’s infrastructure, and as a result, the certificates that have been or will be issued from it.”
On 17 April, the newest version of Chrome, Chrome 66 will be rolled out to users, following distribution to beta testers in March. From this version of Chrome, Symantec trust certificated issued before 01 June 2016 will not be trusted. This means that if your ecommerce site has an SSL/TLS certificate from Symantec, you’ll need to obtain a new one right away from a security authority that IS trusted by the browser.
In October, Chrome 70 is due to be released and this version will distrust all Symantec issued certificates.
What to do next
If you aren’t sure what SSL certificate your use sites, go to Chrome Canary. This will test the certificate and help you to determine if your site is affected. If a certificate error is displayed when you try to connect to your URL, you’ll need to obtain a new SSL / TLS certificate.
Some users will already be starting to see error messages when trying to visit your site if your certificate does need to be changed so it pays to find a new security authority as soon as possible.