More than one million distrusted digital SSL/TLS Symantec certificates are still in use and failure to replace these certificates will result in site breakage in upcoming version of major browsers, including Google Chrome and Mozilla Firefox, according to a report from Comodo CA Limited.
Google and the PKI community last year developed a plan to reduce and ultimately remove trust in certificates issued by Symantec and now owned by DigiCert and as of July 20, 2018, end users will see certificate error messages on websites that have not replaced these certificates. By October 23, 2018, certificates issued by Symantec and now owned by DigiCert before December 01, 2017 will be distrusted and no longer considered valid.
“These warnings are expected to have a strong deterrent effect on visitors seeking to share confidential information, make purchases, or access online services,” Michael Fowler, president of Comodo CA, told SC Media. “Furthermore, the presence of a “Not secure” warning will strongly undermine visitors’ ability to distinguish the actual sites on which they seek to do business from phishing sites seeking to trick them into giving away sensitive information like PII, credit card numbers, or login credentials.”
Fowler went on to say that this can increase the effectiveness of these attacks and that most of these certificates are likely still functioning correctly with the current releases of Chrome and Firefox but that when Chrome 70 and Firefox 63 are both released in September the entire set of these certificates will cease to work correctly.
The revoked certs were observed using a two-step process, which included scanning publicly-available certification transparency log monitor and search tool and by manual verifying websites believed to be at risk of decertification, according to a May 16, 2018 press release.
Fowler said there is still a massive gap in certificate holders’ awareness that can be attributed to inattention, personnel changes, and a “set it and forget it” mentality.
“At every business holding one or more of these certificates the individuals in charge of them must proactively revoke and replace them,” Fowler said. “While some may have a specific replacement schedule coming up, it’s likely that many aren’t even aware that replacement will be required.”
He added that best solution to address this is for industry leaders and other influencers to spread the word so that as many of these certificates as possible are replaced by the deadline.