Internet users will soon experience an increase in privacy and security warnings displayed by the web browsers that they use to connect to Internet sites.
Users of Google Chrome will see an increase in "Your connection is not private" security messages and users of Mozilla Firefox will receive more "Warning: Potential Security Risk Ahead" warnings in the browser.
Google, Mozilla and other browser makers revealed plans to distrust all certificates issued by Symantec in web browsers in 2017. Several certificates were issued in the past that did not comply with industry standards and investigation in the matter revealed that "Symantec had entrusted several organizations with the ability to issue certificates without the appropriate or necessary oversight".
Google and Mozilla revealed a roadmap for the browsers to distrust all certificates issued by Symantec. Starting October 2018, all versions of Google Chrome, Mozilla Firefox, and other browsers will distrust all certificates issued by Symantec.
Internet users who run development versions of Chrome or Firefox, currently Chrome Canary or Development, and Firefox Nightly, will notice certificate warnings when they connect to sites that use Symantec certificates.
A high profile site that still uses Symantec certificates is PayPal
Google plans to remove the Symantec Root Certificate from Chrome 70 out October 16, 2018 on the Stable channel. It is then that Chrome will display error messages when users try to connect to sites that use Symantec issues certificates.
Google Chrome's notification reads:
Your connection is not private.
Attackers might be trying to steal your information from [SITE] (for example, passwords, messages, or credit cards).
A click on the error message displays details including the issuer (which in the case of PayPal is Symantec) but no options to bypass the error.
Mozilla plans to distrust the Symantec Root Certificate in Firefox 63, out October 2018 on the Stable channel.
Mozilla Firefox displays a different notification when you load sites with Symantec certificates in the web browser.
Warning: Potential Security Risk Ahead
Firefox detected a potential security threat and did not continue to [SITE]. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.
[SITE] has a security policy called HTTP Strict Transport Security (HSTS), which means that Nightly can only connect to it securely. You can’t add an exception to visit this site.
No option to bypass the warning is provided.
Website and server administrators and organizations have until October to deal with the issue at hand. It is necessary to replace the Symantec certificate with a certificate issued by a Certification Authority that is still trusted. Symantec acquired several Certification Authorities such as Thawte or RapidSSL in the past and certificates issued by these companies need to be replaced as well.
Internet users will see an increase in privacy and security warnings on the Internet. Many companies will switch to a different certificate before the deadline but not all will do in time or at all.
Now You: Did you encounter Symantec-related certificate issues in the past already? (via Caschy)
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.