Chrome 70 Update: HTTPS Site Security and the Full Symantec Distrust

Zac Heinrichs

As of October 17, 2018, Google has released Chrome 70, and with it, they have once again increased their security warnings for sites that are not fully HTTPS secure. The language used by the browser has also become increasingly severe over the last couple of years:

Google Chrome HTTPS warning
Google Chrome HTTPS warning

Attackers are going to trick you!

One of the most specific targets of these new security warnings has to do with a company called Symantec. From the Google Online Security blog:

“[U]sers will start to see full screen interstitials on sites which still use certificates issues by the Legacy Symantec PKI. Initially this change will reach a small percentage of users, and then slowly scale up to 100% over the next several weeks.”

Chrome has been planning this depreciation of trust in Symantec security certificates for more than a year now thanks to some shady practices that compromised users’ security when they visit apparently secure, trusted sites. From Google Online Security blog’s ominously titled Chrome’s Plan to Distrust Symantec Certificates:

“On January 19, 2017, a public posting to the mozilla.dev.security.policy newsgroup drew attention to a series of questionable website authentication certificates issued by Symantec Corporation’s PKI. Symantec’s PKI business, which operates a series of Certificate Authorities under various brand names, including Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL, had issued numerous certificates that did not comply with the industry-developed CA/Browser Forum Baseline Requirements.

During the subsequent investigation, it was revealed that Symantec had entrusted several organizations with the ability to issue certificates without the appropriate or necessary oversight, and had been aware of security deficiencies at these organizations for some time.”

Apparently, Symantec certificates were being handed out by Symantec’s authorized partners like they were Halloween candy…

What do we do about Chrome 70’s Symantec Distrust?

The chances are slim that we have any clients that are using the affected Symantec HTTPS certificates. After all, this has been a known, impending change for some time and competent site operators have already updated their SSL certificates well in advance. But, there is no reason to leave it to chance and just assume that everything is OK on the sites we care about.
Checking for the depreciated Certificate Authorities (CA) is a pretty simple task that only requires a few clicks per website. Here at Portent, we put together a small team to run through our entire book of clients and took the following steps:

Check your SSL Certificate Authority

  1. Launch Chrome
  2. Go to the website you want to check
  3. Click on the lock next to the URL in the browser bar

    click the lock in the Chrome 70 browser bar

  4. Check to see if the certificate is valid and click on ‘Certificate’

    click on certificate in the info panel

  5. See who shows up in the ‘Issued by’
    check the issuer of the security certificate

If you are already running Chrome 70, and you find an offending site, there’s a chance you’ll get to see the full-screen interstitial mentioned earlier. That’ll make the check process a lot faster.

Alas, and huzzah, none of our clients are using a legacy Symantec SSL certificate!

There are, however, a handful of sites that are on HTTP or are unsecured on HTTPS for varying reasons. For anyone who has yet to migrate to HTTPS or have had trouble doing so, our Development Architect Andy Schaff put together a comprehensive guide to make the switch to HTTPS.

Security is a Ranking Factor

So, why bother checking for a valid SSL certificate on our clients’ sites?

Well, first off, HTTPS is a ranking factor! Going all the way back to 2014, HTTPS has been a ranking factor. It started as a tie-breaker between otherwise equally ranking sites, now, it’s even part of the Google Search Quality Evaluator Guidelines (my emphasis added):

Low quality pages often lack an appropriate level of (Expertise, Authoritativeness, or Trustworthiness) E-A-T for the purpose of the page. [For example the] MC [Main Content] is not trustworthy, e.g. a shopping checkout page that has an insecure connection.

Secondly, if not us, then who? We can’t afford to leave anything to assumption and chance. By checking in on the little things that matter we can prove that we care about the well-being of each of our clients, it’s one less thing that they have to worry about. After all, that’s why we we’re here.

Start call to action

See how Portent can help you own your piece of the web.

End call to action
0

Leave a Reply

Your email address will not be published. Required fields are marked *

Close search overlay