Mozilla Delays Distrust of Symantec Certificates
12.10.2018 securityweek
Security

Mozilla this week announced that the distrust of older Symantec certificates, initially planned for Firefox 63, will be delayed.

Following a long series of problems regarding the wrongful issuance of certificates issued by the Certification Authority (CA) run by Symantec, one of the oldest and largest CAs, browser makers have decided to remove trust in all Symantec-issued certificates before the end of this year.

Both Google and Mozilla said they would gradually remove trust in all TLS/SSL certificates issed by Symantec. Google, which removed trust in certificates that Symantec issued before June 1, 2016, with the release of Chrome 66 in April, wants to remove trust in all Symantec certificates in Chrome 70.

Mozilla was aiming at making a similar move in October 2018, with the release of Firefox 63, but now says it has decided to delay the distrust plans. The browser is currently only warning users when encountering a website that uses a Symantec-issued certificate.

According to the browser maker, it took this decision after learning that well over 1% of the top 1,000,000 websites still use Symantec certificates, meaning that impact on users would be much greater than initially anticipated.

Last year, Symantec sold its CA business to DigiCert, which immediately started issuing new certificates to replace those issued by Symantec. In March, DigiCert said it had replaced most of the Symantec-issued certificates and that less than 1% of the top 1 million websites hadn’t made the switch yet.

As it turns out, many popular sites are still using Symantec certificates, apparently unaware of the planned distrust. Others, Mozilla says, are likely waiting until Chrome 70 arrives on October 23 to finally replace their Symantec certificates.

“Unfortunately, because so many sites have not yet taken action, moving this change from Firefox 63 Nightly into Beta would impact a significant number of our users. It is unfortunate that so many website operators have waited to update their certificates, especially given that DigiCert is providing replacements for free,” Mozilla’s Wayne Thayer notes.

He says that Mozilla is well aware of the additional risk caused by a delay in the implementation of the distrust plan, but also points out that the delay is in the best interest of Firefox users, given the current situation.

The distrust, however, continues to be planned for later this year, when more sites have replaced their Symantec TLS certificates. Firefox 63 Nightly is already distrusting Symantec-issued certificates, but the change won’t be implemented in Firefox 63 Beta, but Firefox 64 Beta instead.

“We continue to strongly encourage website operators to replace Symantec TLS certificates immediately. Doing so improves the security of their websites and allows the 10’s of thousands of Firefox Nightly users to access them,” Thayer concludes.