Google has lost trust in Symantec SSL certificates, which accounts for a third of SSL certificates across the web. I explain why, and what you should do if you’re affected.
Good afternoon RocketMill, this is my first presentation as part of Forefront, so let’s get our very best game show ‘oohs ‘and ‘aahs’ going on. We have new graphics. We have a new set. I have a new flower…which, reading the room, was a bad idea. But we still have the same old technical SEO head pontificated for the next 10 minutes, so I apologise in advance.
Now, to today’s main topic, which is ‘Symantec SSL certificates: Do browsers trust your ‘secure’ site?’
Google has lost trust in a third of SSL certificates. Now, to give you an idea of what that means, I’d like to take this mumbo-jumbo technical language out of context and imagine a hypothetical scenario in which the UK votes to leave the EU. Unrealistic, I know. Ironically, notice this sticker is on the back of a Volvo, made in Sweden, but there we go.
Just imagine this hypothetical scenario and extend it to say that France stopped respecting any driving licence issued by the DVLA. They decide that, actually, if you’re a holidaymaker, you have to pass a driving test in France before you are allowed to panic about priorité à droite.
This is pretty much what happened last year, because browsers lost trust in Symantec, who have issued a roughly one in three SSL certificates on the web. Roughly one in three sites use an SSL certificate, provided by Symantec. Google Chrome have announced that they are going to remove trust in Symantec SSL certificates, and Mozilla Firefox, another popular browser, has followed suit.
If you don’t know your SSL from your BLT, here is a beginner’s guide to SSL certificates. I’m going to cover what one is, how they work and, crucially, who is allowed to issue them.
SSL stands for ‘secure sockets layer’, which is a security technology on the web. An SSL certificate, also known as a digital certificate, is something you would install on your web server to authenticate your site and prove it is legitimate and not a dodgy lookalike.
You buy it, you install it, and it works until the expiry date of the certificate, just like a domain name expires, or indeed, a sandwich.
This activates HTTPS, which allows secure, encrypted communication between your web server, which hosts the web site, and your browser, which is the software on your computer which requests the web pages on that site.
Now, to protect web users, browsers only trust SSL certificates issued by trusted certificate authorities, or CAs. Popular CAs include Comodo, DigiCert, Let’s Encrypt, and right about there, Symantec, who actually are behind the scenes on four of these brands, GeoTrust, RapidSSL, and thawte as well. That’s the important thing, because browsers have lost trust in all Symantec SSL certificates that were issued during a set period. The reason being that Symantec were alleged to have broken industry rules and mis-issued some SSL certificates.
Symantec acknowledges that a former partner business issued certificates without proper domain ownership verification, and it says there were 127 cases where this happened, and these did not harm any consumers. However, Google reckon the number is rather bigger. In fact, they say there’s at least 30,000 certificates which were issued over several years by Symantec partners. Symantec dispute the number, but Google is sticking to its guns and distrusting them anyway.
What is going to happen to Symantec SSL certificates? First things first, this had a business implication that DigiCert basically bought Symantec’s web security arm and has now taken responsibility for issuing Symantec certificates in their name, but it’s DigiCert behind the scenes.
Google Chrome is going ahead and it’s removing trust in all Symantec certificates this year, I’ll tell you the schedule shortly, with Mozilla Firefox sticking to the same schedule for the benefit of web site owners. Basically, they don’t have to work to differing time scales depending on the browser.
This is going to affect sites using Symantec SSL certificates or, indeed, referencing third-party services secured by Symantec.
It’s going to start in March 2018 with the launch of Chrome version 66, and it’s going to end in September with the launch of Chrome 70, depending on the time scale within which the certificate was purchased.
What will happen if your web site uses a Symantec SSL certificate? In a nutshell, browsers are going to block users from accessing your content, decimating your traffic, or they will block features of your page.
This is what will happen in Google Chrome. It will interrupt the user with a full-page warning message, a lot like this one. The user will have to jump through hoops to access the page, and frankly, 99.9% recurring aren’t going to bother. They’re not going to risk it. Your traffic’s going to plummet, and your rankings are likely to follow.
You’ll get a very similar message in Firefox. It will also interrupt the user with a full-screen interstitial.
Now, if you reference third-party code, which also uses an affected URL or references an affected URL; so if you have a plugin, if you have a tracking code on your site that uses an SSL certificate provided by Symantec during the set periods to secure it, then browsers are probably going to block it from working, and that will make your page incomplete.
Now, in the unlikely event the user wants to run the script, it will be a mixed script and you’ll get a message a bit like this one, where you get a cross sign through the ‘HTTPS’ in the address bar. Your page will no longer be completely secure.
It’s crucial to get ahead of these changes and check your site for affected Symantec SSL certificates. Here is how to check your SSL certificate providers.
One of the first ways to do so is to use a third-party tool, this is SSLChecker, to view your certificate chain. It affects the layering in which certificates are issued. It will show you who you have secured your site with and who underwrites their certificates, in effect. If you see GeoTrust, RapidSSL, Symantec, or Thawte, there’s a good chance you need to act if you haven’t updated your certificate very recently. Here are a couple of other tools which work in exactly the same way. Just type in your domain and it will show you your certificate chains. One from SSL Shopper and one from DigiCert themselves.
Alternatively, if you are running an up-to-date version of Google Chrome, the web browser, it is going to inject details of affected SSL certificates into the console log, which is a bit like a scribble pad for web developers. It’s a place for them to effectively ask for feedback from the browser about the page.
If you go into your site in Chrome, and you need to hit Control-Shift-I if you’re on Windows or Command-Shift-I on a Mac, and you’ll get a list of affected certificates in the console. You can see I’ve run this on rocketmill.co.uk and we are affected. About a third of the web is, so this is nothing to be worried about. You are not in isolation, but you do need to act.
Importantly, if you look there, it doesn’t only affect your first-party certificates, i.e., the one we’ve used to secure rocketmill.co.uk. If you are using ad networks, analytics, remarketing, live chat, sharing plugins, reviews – this is not an exhaustive list by any means – popular services, which have secured their URLs using Symantec SSL certificates from this period, could affect your security. So you need to make sure you audit your site for these, make sure these services are updating your SSL certificates, encourage them to do so, and if they don’t do so, potentially remove their code.
To summarise, what should you do if your web site is affected? If you are affected by Google Chrome and Firefox distrusting older Symantec SSL certificates, first things first, if you are using a first-party certificate to secure your site, you can, if you want to, just renew your SSL certificate now. It was based on DigiCert’s infrastructure, and browsers will then trust the certificate until its expiry date. Or you can choose to replace your SSL certificate with a new issue from a new certificate authority, one that’s trusted by popular browsers. Up to you if you fancy a clean slate.
Alternatively, if you are including a third-party code snippet, again, you need to find out whether the provider is aware of these changes, they definitely should be, and what they plan to do about it. If they’re in the dark, or if they have no plans to update before the deadlines, you need to consider removing the code from the site, or at least know the implications if you don’t.
Hopefully that’s all clear, and if you need any further help, we’re on hand. Thank you.