Symantec's untrusted certificates: How many are still in use?
The fallout from Google’s decision last year to stop trusting Symantec certificates has been difficult to quantify, but one security researcher has provided clarity on how many untrusted certificates are still being used.
Arkadiy Tetelman, senior application security engineer at Airbnb, posted research over the weekend about the number of untrusted certificates still in use by Symantec customers (Symantec’s certificate authority (CA) business was acquired late last year by rival CA DigiCert). According to Tetelman, who scanned the Alexa Top 1 Million sites, approximately 103,000 Symantec certificates that are set to have trust removed this year are still in use; more than 11,000 of those will become untrusted certificates in April with the release of Chrome 66, and more than 91,000 will become untrusted in October with Chrome 70.
“Overall the issue is not hugely widespread,” Tetelman wrote, “but there are some notable hosts still using Symantec certificates that will become distrusted in April.”
According to Tetelman’s research, those notable sites include iCloud.com, Tesla.com and BlackBerry.com. He noted that some users running beta versions of Chrome 66 are already seeing connections to websites using these untrusted certificates rejected, along with a browser security warning that states “Your connection is not private.”
Google’s decision to remove trust for Symantec-issued certificates stems from a series of incidents in recent years with the antivirus maker’s CA business. Among those incidents were numerous misissued certificates (including certificates for Google) and repeated auditing problems. Last March, Google announced its intent to remove trust from Symantec certificates based on its investigation into the company’s CA operations. After months of negotiations – and hostile public sparring – between Symantec and the web browser community, Symantec finally agreed to a remediation plan offered by Google, Mozilla and other browser companies.
That remediation plan gave Symantec a choice: either build a completely new PKI for its certificates or turn over certificate issuance operations to one or more third-party CAs. Symantec ultimately opted to sell its PKI business to DigiCert in August.
DigiCert, meanwhile, still has to make good on the remediation to which Symantec agreed. And so far, it has; DigiCert met a Dec. 1 deadline to integrate Symantec’s PKI with its own backend operations and ensure all certificates are now issued and validated through DigiCert’s PKI.
But DigiCert will still have to contend with untrusted certificates currently used by Symantec customers. Along with the Chrome 66 and 70 release dates, new versions of Mozilla’s Firefox will also remove trust for Symantec certificates; Firefox 60, scheduled for May, will distrust Symantec certificates issued before June 1, 2016, while Firefox 63, scheduled for December, will distrust the rest of Symantec’s certificates.
In other words, more work needs to be done before this mess is completely cleaned up.