PSA: We don’t trust Symantec Certs anymore!
Chris Hahn sent over some interesting news that might be overlooked by a good amount of our clients so we figured we would write a quick blog post on it.
Starting Tuesday (October 16th) with the release of Chrome version 70, Google will no longer accept or trust certificates issued by legacy Symantec infrastructure. This means that any certificate issued prior to December 1st 2017 will no longer be trusted. So what happens if you ignore this carefully crafted Public Service Announcement? Users with the latest version of Chrome will be presented with a big red warning page when visiting the site (not a good look). The TLS certificates in question include legacy branded Equifax, GeoTrust, RapidSSL, Thawte and Verisign. If you have used these issuers in the past, be sure to check and make sure your cert will be accepted by the new Chrome browser (which accounts for almost 70% of the browsers in use Worldwide *)
For that 30% user base left, you have until April 2019 to get new certificates before Microsoft no longer accepts the disavowed certificates.
If you would like to test your site, you can visit SSLLabs.com and see what rating you are getting. If you receive a T (trust issue) letter grade, you are most likely affected by this issue and a simple Certificate reissue and replace will correct it.
You can read more about the topic on the Register.
Stay safe out there!