Thursday 24th May 2018

In two months thousands of websites will prompt warning messages in Google Chrome

Jason Smith
by on 7th February 2018 | Leave a comment

Google Chrome 66 will be available from 17th April this year and the latest update will display ‘unsafe’ messages for anyone attempting to access a website with a Symantec HTTPS certificate issued before 1st June 2016.

Google Chrome currently has a global browser market share of 56.31%.

A security engineer who works for Airbnb tested the likely impact of the Chrome update and found that of Alexa’s top 1 million websites, 11,510 will display an ‘unsafe’ message from 17th April.

The list includes websites like Tesla.com, Brita.com and aer.gov.au.

The measure will apply to all Certificate Authorities operating under Symantec’s infrastructure, including Thawte, Verisign, Equifax, GeoTrust and RapidSSL.

The warning message will highlight that a website’s security certificate isn’t trusted and will require the user to click a ‘proceed’ button to continue navigating through to the website.

The update is a direct consequence of a very public spat between Symantec and Google. Google published a blog post in September 2017 stating the development “was part of a continuing pattern of issues over the past several years that has caused the Chrome team to lose confidence in the trustworthiness of Symantec’s infrastructure.”

Symantec ‘objected’ to Google’s initial announcement about its loss of confidence in their infrastructure in a blog post published on 24th March, 2017.

They stated “We strongly object to the action Google has taken to target Symantec SSL/TLS certificates in the Chrome browser. This action was unexpected, and we believe the blog post was irresponsible. We hope it was not calculated to create uncertainty and doubt within the Internet community about our SSL/TLS certificates.”

The post goes on to claim that Google’s claims about mis-issuances are ‘misleading’ and ‘exaggerated’ – Symantec contends that only 127 certificates, not the 30,000 reported by Google, were mis-issued.

Google’s latest announcement on the matter provides a timeline detailing the extent to which Symantec’s old infrastructure will become distrusted as new browser updates are released.

Mozilla Firefox announced similar measures in a statement on 31st October and, as a consequence of the public spat, Symantec has sold its PKI business to DigiCert.

Symantec has confirmed that DigiCert took over issuance from 1st December 2017 and any certificates purchased under Symantec’s old infrastructure after this date will be distrusted in future updates to Chrome.

Overall, the development speaks to Google’s power to not only cause seismic shifts in the internal processes of companies large and small alike, but also their ownership.