ROSELAND, N.J. – May 16, 2018 – Comodo CA Limited, a worldwide leader in digital identity solutions, today revealed research results that identified more than one million websites using digital SSL/TLS certificates issued by Symantec Corp. now owned by DigiCert, Inc. that may be at risk. Using a two-step process, which included scanning publicly-available, Comodo CA-owned certification transparency log monitor and search tool (crt.sh) and further verifying via manual reviews of websites believed to be at risk of decertification, Comodo CA found more than one million website certificates worldwide that may be distrusted and will therefore have to be replaced to avoid disruption to the website, creating a significant business continuity and security issues for businesses and their customers. Failure to replace these certificates will result in site breakage in upcoming versions of major browsers, including Google Chrome and Mozilla Firefox.
“To help businesses and website owners worldwide ensure their sites remain trusted, Comodo CA has been carefully reviewing the universe of digital certificates to determine the scale and scope of distrusted certificates that still exist and help those affected to take swift and appropriate action,” said Bill Holtz, CEO, Comodo CA.
“While we were surprised by these findings, we felt it was critical to responsibly provide this information to help educate businesses and restore global trust and confidence in digital certificates, given their importance in areas such as e-commerce, global communication and the operation of IoT networks.”
“These efforts by Comodo CA demonstrate they’ve taken a leadership position in presenting some very real industry challenges,” said Robert Westervelt, Research Director, IDC Data Security Practice. “These findings are both interesting and a bit troubling. The fact that we are still seeing more than a million distrusted certificates that are operational as of today, constitutes a big risk, particularly because remediation of the distrusted DigiCert certificates is a labor- and time-intensive process. Also, release dates of major browser enhancements will be here very soon and this dynamic creates a major risk for enterprises globally and they need to be made aware of it. Otherwise, the financial impact could be significant if consumers cannot trust that websites are safe.”
Which Certificates are Affected?
Last year, Google, Inc., its Chrome team and the PKI community developed a plan to reduce and ultimately remove trust in certificates issued by Symantec, which are now owned by DigiCert. Google communicated that as of July 20, 2018, end users will see certificate error messages on websites that have not replaced these certificates. Additionally, Google has said that as of October 23, 2018, certificates issued by Symantec and now owned by DigiCert before December 01, 2017 will be distrusted and no longer considered valid.
Steps to Take Now
For businesses and website operators seeking to keep their websites operational, Comodo CA suggests the following guidelines:
- Understand the underlying issues that led to Google’s decision to distrust Symantec, GeoTrust, Thawte & RapidSSL certificates; complete details can be found here in Google Security Blog
- Scan your network to discover all active certificates in your environment
- Identify those certificates that were issued prior to December 01, 2017with a Symantec CA root
- Replace those certificates with a trusted root from a compliant Certificate Authority
Comodo CA Research Findings
The Comodo CA testing was completed using a two-step process. The first step – completed on April 17, 2018 – revealed that 1.2 million certificates issued by Symantec had not been replaced. The second step – completed on May 4, 2018 – revealed that more than one million distrusted website certificates were still in use.
The findings of this testing demonstrate that the unreplaced certificates are a global issue. Of the one million websites still at risk, roughly 25 percent were based in Germany; 15 percent in the United States; 13 percent in the UK; 5 percent in China; 6 percent in Japan with several other countries at 5 percent and below.
Comodo CA released these results to help raise awareness of this issue to businesses, website operators, resellers and consumers worldwide.
About Comodo CA
A trusted advisor by enterprises globally for more than two decades, Comodo CA provides digital identity solutions for businesses of all sizes – protecting their employees, customers, intellectual property and overall brand – from damages caused by fraudsters impersonating people and devices.
As the largest commercial certificate authority with over 100 million SSL certificates issued worldwide, Comodo CA has the experience and performance to meet the growing need to secure transactions and help create online trust. For more information, visit ComodoCA.com
# # #