Mozilla forced to postpone distrust of Symantec-issued TLS certificates
11 October 2018
Popular Internet browser Mozilla has been forced to postpone its plan of distrusting TLS certificates issued by Symantec Certification Authority as millions of websites are yet to replace such certificates with more secure ones.
Earlier this year, Mozilla announced that Firefox 63, which is scheduled to be released on 23rd October, will distrust any TLS certificate that chains up to a Symantec root, regardless of when it was issued. The existing Firefox 60 version distrusts certificates issued by Symantec before June 1, 2016.
Mozilla warned that, as of August this year, even though major browsers had started the process of distrusting all Symantec-issued certificates, as many as 3.5 per cent of the top 1 million websites were still using such certificates.
“This number represents a very significant impact to Firefox users, but it has declined by over 20% in the past two months, and as the Firefox 63 release approaches, we expect the same rapid pace of improvement that we observed with the Firefox 60 release,” it added.
Mozilla’s plans derailed by continued use of Symantec-issued certs
However, the speed of replacement of Symantec-issued certificates with more secure ones by the world’s top 1 million sites is nowhere close to Mozilla’s expectations, forcing the company to postpone the phased distrusting of all Symantec-issued certificates.
“While the situation has been improving steadily, our latest data shows well over 1% of the top 1-million websites are still using a Symantec certificate that will be distrusted.
“Unfortunately, because so many sites have not yet taken action, moving this change from Firefox 63 Nightly into Beta would impact a significant number of our users. It is unfortunate that so many website operators have waited to update their certificates, especially given that DigiCert is providing replacements for free.
“We prioritize the safety of our users and recognize the additional risk caused by a delay in the implementation of the distrust plan. However, given the current situation, we believe that delaying the release of this change until later this year when more sites have replaced their Symantec TLS certificates is in the overall best interest of our users. This change will remain enabled in Nightly, and we plan to enable it in Firefox 64 Beta when it ships in mid-October,” wrote Wayne Thayer, Certification Authority Programme Manager at Mozilla in a blog post.
Aside from Mozilla, Google and Apple have also respectively announced their intent to distrust all Symantec-issued certificates in a phased manner.
According to Apple, the company’s products will start distrusting all Symantec Certificate Authorities by Fall this year that were issued before June 1, 2016 or after December 1, 2017. Certificates issued between these two dates will continue to be trusted if the certificate’s Signed Certificate Timestamp (SCT) date is before December 1, 2017 and they meet Apple’s CT Policy. However, these will be active only for a limited period as Apple will fully distrust all Symantec CAs at a later date.
Replacing certificates is a painful process for many firms
Google has also announced that the upcoming Chrome 73 update will ensure that all Symantec CAs will be distrusted and will replace an existing policy that protects companies that rely on Symantec security certificates pre-dating June 2016. Chrome 73 is expected to arrive in January 2019 which means that website developers have only a few months to adopt certificates issued by trusted CAs.
“Solving this problem will be a huge challenge for organisations and governments. Recent similar events have shown how challenging most organisations find this process – the US federal government, for example, was given 18 months to install certificates on all web servers and failed. One year after Heartbleed, over half of ‘global 2000’ businesses still couldn’t fully remediate Heartbleed by changing out keys. With the deadline looming, businesses can no longer be complacent,” said Kevin Bocek, Chief Cybersecurity Strategist at Venafi.
According to Mark Miller, Director of Enterprise Security Support at Venafi, distrusting the lion’s share of the certificates on the internet can be painful and it is especially painful for organisations that don’t have an automated way to replace their certificates.
“In fact, many organizations don’t even have a complete inventory of their machine identities. However, by delaying our distrust deadlines we’re leaving the window open for more data to fly out. As security professionals, we need to be able to draw a line and stand behind it with confidence, but to do this, organisations will need to prioritise their ability to respond to these kinds of events,” he adds.