As you might have seen from recent news headlines, Google Chrome has announced a proposal to deprecate certain Symantec certificates. This proposed update may potentially affect certificates issued by Symantec, Thawte, and Geotrust and would have a considerable impact on customers using such certificates.
Google Chrome has recently identified a series of failures by Symantec to properly validate certificates, and in a Google Groups post, Ryan Sleevi from Google announced Google’s intent to take the following steps relating to the Chrome browser:
- Reduce the maximum accepted validity period of newly-issued Symantec certificates to 9 months or less
- Implement a gradual distrust in Chrome browser of all current Symantec-issued certificates, requiring the certificates to be replaced with new certificates before the original would expire
- Removal of recognition of the EV (Extended Validation) status of Symantec EV certificates for at least one year
Symantec’s response to the proposal and a public discussion may be found here.
Since Google Chrome has a majority of the browser market, this may have a significant impact on the industry. If you currently have Symantec certificates, you may have to frequently rotate certificates since the maximum accepted validity period will be reduced to nine months or less. Symantec certificates will also not have the benefit of showing the organization’s name in green for at least one year, a feature that is available in Chrome for EV certificates.
Google plans to methodically shrink the “maximum age” of Symantec certs over the course of several Chrome releases. Beginning with Chrome 64, all existing Symantec certificates will be assigned a validity period of 9 months moving forward. Chrome 64 is slated for early 2018. Beginning with Chrome 61, new Symantec certificates will have a maximum duration of 9 months. The proposed schedule to reduce trust in existing Symantec certificates is as follows:
If and when Google delivers on its intentions, enterprises with Symantec certificates will be forced to rotate those certificates every nine months. While Symantec may address the cost issues, rotating certificates imposes administrative burdens and risks on customers. If an administrator makes a mistake when rotating certificates, transactions may be interrupted. And consumers using Chrome will not have the reassurance of an organization’s name displaying in green for at least a year.
As the world’s #1 Certificate Authority, we recognize the burden that this change may impose and are working to ease that burden. Comodo, in conjunction with partners, is launching a program to provide an equivalent certificate that includes one year free for all existing Symantec, Thawte and GeoTrust certificates. If you are an Enterprise or utilize the Symantec MPKI platform, please get in touch with us to discuss the replacement program with you. If you previously purchased a Symantec certificate from your Webhost or Domain Name registrar, they may be in a position to offer you a replacement Comodo certificate. To explore your options, you can visit this webpage to learn about the status of your certificates as well as contact us at email@example.com or call 1-855-478-7740.