Google Outlines SSL Apocalypse for Symantec Certificates

Google will distrust all existing Symantec SSL certificates starting with October 2018, and Symantec will have to rebuild its entire certificate issuance infrastructure from scratch if it wants to remain in the CA (Certificate Authority) business.

This is the final ruling in an investigation into Symantec's shady SSL issuance practices started by Google and Mozilla engineers.

Investigators discovered last year that Symantec broke industry rules agreed on by the CA/B Forum, the authority that governs the procedures for issuing SSL certificates that are used to support HTTPS encrypted traffic.

Symantec punished for misissuing 30,000 SSL certs

In March 2017, Google and Mozilla engineers found that Symantec misissued 127 SSL certificates, but as the investigation progressed this initial estimation grew to a whopping figure of over 30,000 certs.

The number shocked industry experts. Because Symantec was the one of the largest CA on the market, few dared to react. The first one to show its displeasure with Symantec's SSL issuance procedures was Google, who a few days later after the discovery announced an intention to gradually remove support for Symantec certificates in Chrome.

While Mozilla, Microsoft, or Apple never spoke on the Symantec issue, they were also displeased with the CA but allowed Google to spearhead the investigation, which dragged on for months.

Symantec denied and denied any wrongdoing, calling the results "exaggerated and misleading." Nonetheless, the company saw the writing on the wall and eventually came to the negotiation table.

Both Google and Symantec got what they wanted

The result is convoluted, but it allows both parties to claim victory. Google can say it banned Symantec, while Symantec can continue to issue SSL certificates under its name (sort of).

Below is a breakdown of what will happen over the course of the next few months.

Phase One - Symantec becomes a SubCA

December 1, 2017 — Symantec will partner with another CA that will issue SSL certificates in Symantec's name. Symantec will effectively become, in technical terms, a Subordinate Certificate Authority (SubCA).

Google proposed this measure this spring, Symantec has acknowledged it in June and approved to it on mid-July.

This step is crucial in Symantec's survival as a valid Certificate Authority because it will allow it to do business and issue new SSL certificates in the near future, keeping its clients happy.

Google is also satisfied that Symantec becomes a SubCA because the CA that takes Symantec under its wing will be responsible for issuing SSL certificates. Google and other browser vendors hope that by offloading the SSL issuance process to another CA's infrastructure, it will prevent Symantec from breaking the rules and issuing certificates for sites it shouldn't.

In the meantime, Symantec can silently prepare a new infrastructure on which to build its new SSL business. Nonetheless, the company has started exploring the idea of selling its CA business, so there's a chance we may see Symantec ride into the sunset with a big bag of money.

Phase 2 - Partial distrust of Symantec certs in Chrome

The second stage will start when Google releases Chrome 66 (estimated April 2018). Starting this version, Chrome will show SSL certificate errors for all Symantec certificates issued before June 1, 2016.

By 2018, most of these certificates would have expired, and this is just a "distrust test" so Google and Symantec can get a handle on what will happen during phase 3.

Phase 3 - Complete distrust of Symantec certs in Chrome

With the release of Chrome 70 (estimated October 2018), Chrome will show errors for all websites with Symantec SSL certificates — issued on the old infrastructure before December 1, 2017.

In this phase is where most Symantec SSL certificates will die out, akin to an SSL apocalypse for Symantec, a company that according to statistics provides one in every six SSL certs currently deployed online.

Website owners and other developers using Symantec SSL certificates inside their application will have to reach out to Symantec for a new SSL certificate (issued via the SubCA partner), or reach out to another CA provider altogether.

GeoTrust, Thawte, and RapidSSL certificates also affected

Under Chrome's hood, Google will remove the Symantec's root SSL certificate. SSL certificates are like giant trees with countless of branches, all converging back to the root certificate. Once this certificate is removed, all certificates attached to this root will stop working too.

Google will be removing Symantec's current root certificate, but the browser vendor has left the door open for Symantec to submit a new root certificate for approval in the upcoming future.

In addition, because Symantec bought other CAs like GeoTrust, Thawte, and RapidSSL, the root certificates of those former companies have been added to the Symantec root. Certificates issued under these three CAs will suffer the same fate as native Symantec SSL certs and users will have to request new ones.

Until Symantec revamps its SSL issuance procedures and comes up with a system that more secure and reliable, it's highly unlikely that Google will allow a new Symantec root certificate in Chrome again. In the meantime, the SubCA option allows Symantec to continue to support its brand, even if on someone else's root certificate.

Last year, Google has untrusted the certificates of WoSign and StartCom in a similar decision.