Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

3/13/2018
02:30 PM
Zeus Kerravala
Zeus Kerravala
Commentary
Connect Directly
LinkedIn
Twitter
Facebook
RSS
E-Mail vvv
50%
50%

Google 'Distrust Dates' Are Coming Fast

All the tools are in place for the migration of SSL digital certificates on a scale that is unprecedented for the certificate authority industry. Are you ready?

The deadline is fast approaching for organizations to replace Symantec-issued SSL digital certificates, spurred by a Google decision last year to gradually deprecate all Symantec digital certificates because of failures on Symantec's part to properly validate its SSL certificates before issuance.

Symantec, at the time, characterized Google's claims as misleading and grossly exaggerated. The company claimed that only 127 certificates were identified as mis-issued and not 30,000. Symantec said that Google was singling it out for blame though the mis-issuance involved multiple certificate authorities (CAs).

Fast forward to today: Google has created a path for Symantec certificate holders to replace these certificates simply through DigiCert, in a fashion similar to a renewal process. The first of two dates related to this change will occur Thursday, March 15, and security teams need to be aware of how to deal with the process. But first, a bit of history and context.

When an SSL certificate is installed on a Web server, the connection between the server and browser is encrypted. Users know this security is in place because they see a padlock and the word "secure" at the start of the URL line as well as "https." To enable this, businesses need to purchase and install a certificate from a valid CA. These certificates need to be renewed and reinstalled periodically — typically, every two to three years — to stay in compliance.

In early 2017, an issue was raised concerning a number of certificates issued by Symantec's SSL business, which operated several CAs under Symantec ownership with the brand names of VeriSign, Equifax, GeoTrust, Thawte, and RapidSSL. For a number of reasons, these did not comply with industry requirements for browsers. There was an investigation, and it was deemed that Symantec had entrusted a number of organizations to issue certificates without the necessary oversight.

Google Steps In
The net result was that Google put a plan in place to distrust certificates issued by Symantec and all its subsidiaries over a period of time. At the time, Symantec was the largest CA and instead of making the necessary changes, it decided to sell the business to the second-largest CA, DigiCert, in November 2017, making DigiCert the overwhelming market share leader.

Google's plans included three critical dates:

December 1, 2017: One month after the DigiCert/Symantec deal closed, validation and issuance of Symantec certificates were handled by DigiCert. No changes were required by the customers of either of the two companies.

March 15, 2018: Chrome 66 beta will distrust all Symantec certificates issued prior to June 1, 2016. Around April 15, 2018, the general, or stable, version of Chrome will feature untrusted warnings for these certificates.

September 13, 2018: Chrome 70 beta will distrust all certificates issued by Symantec. In October 2018, the general, or stable, version of Chrome will feature untrusted warnings for these certificates.

Companies that don't comply with this will experience a situation in which users connecting to their site get directed to a page that warns them that the communication isn't secure. That may or may not be a problem, depending on the site, but it's often enough to scare people away and go click somewhere else, so keeping those certificates up to date is crucial.

A Headache for Big Business
Upgrading the certificates isn't a big deal if you're a small business with one or two Web servers. However, for large companies with thousands of servers, this can be a huge headache. Certificates are also now being deployed on Internet of Things devices, so if they aren't upgraded, the communications won't be encrypted or may stop transmitting information. 

To help its customers make this shift, DigiCert has made available a website checker to see if companies needs to take action. For example, if "Symantec.com" is put into the URL line, the site issues a warning to replace the certificate before September 13, 2018. This simple tool lets customers quickly check which sites need upgrading and when. 

DigiCert also has greatly simplified the process of procuring the certificates. What used to be a rather cumbersome set of tasks has been simplified to literally a couple of mouse clicks, and the certificate is renewed and upgraded. For companies investing in automation technologies, including the robust set of APIs that DigiCert offers, those few mouse clicks can be removed from the equation entirely.

In conversations with a number of customers, I've learned that these automation tools have been a huge time saver, with companies now able to upgrade all their servers in a fraction of the time it previously took. It's important to note that SSL certificates are now being used on IoT devices as a way of encrypting the traffic to and from them, so many organizations should expect to see the number of certificates they need to manage grow exponentially.

One other important consideration: While most Web users won't notice warnings until the April stable release of Chrome, I recommend that organizations upgrade their affected certificates now. Domains and organizations need to be validated before DigiCert can issue the certificate, and delays by customers can sometimes cost them a couple of days in getting their certificates. There's actually no reason not to upgrade the ones affected by the September date either. Not getting it done in time will mean that when customers access the business website, they will be greeted with a Chrome security warning and that could drive them to a competitor.  

In truth, a migration of this magnitude, which is unprecedented in the CA industry, could have been a disaster. Given that the acquisition of the Symantec CA business was only completed in November, DigiCert has done a remarkable job in consolidating the platforms and support organizations. All the tools are now there for customers to ensure that their Web servers won't have a problem, so the ball is now in the court of security teams. The Google distrust dates are coming fast — are you ready?

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at #Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here. Save $200 off your conference pass with Promo Code 200MC.

Zeus Kerravala provides a mix of tactical advice and long term strategic advice to help his clients in the current business climate. Kerravala provides research and advice to the following constituents: end user IT and network managers, vendors of IT hardware, software and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16029
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...
CVE-2020-3115
PUBLISHED: 2020-01-26
A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerabi...
CVE-2020-3121
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplie...
CVE-2020-3129
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker c...
CVE-2020-3131
PUBLISHED: 2020-01-26
[CVE-2020-3131_su] A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability i...