Google to Update Trusted HTTPS Certificates

By

Feb 11th


HTTPS

Hundreds of thousands of sites will realize that they have been essentially somewhat “blacklisted” on Google Chrome as an unsafe site, if they do not switch out to a new “trusted” HTTPS certificate before mid-April arrives.

Back in last September, Google had decided to stop trusting Symantec issued TLS/SSL certificates and in the coming months, Google Chrome users visting those sites that have a certificate from the cybersecurity firm issued either before the 1st of June 2016 or after the 1st of December 2017 will be issued with a warning in red that their connection is, one; not private and two, the fact that a hacker may be able to steal their data. The warning will be able to be bypassed by the user by clicking a button to get through to the site.

All certificates that are Symantec based as the system in which the trust is tested, even through a middleman organization will not be eligible to pass the new standards. One big cybersecurity firm that does handout these Symantec based certificates that will be affected is RapidSSL, and all of their certs that were issued during the newly released time-frame that Google has announced, will be affected by the change.

And while not every internet user will be using Chrome, and not every user will get the next patch straight away – a lot of sites are going to still be affected as Chrome is a very popular browser and the auto-update function for Chrome has been working for me, quite well. Sites need to get their newly obtained HTTPS certificates as soon as possible, unless they want their users whom use Chrome to be blasted by this big red warning every time they click on a new link on their site.

Now surely you may be thinking that there is no way you’d have to warn the “big dogs” of the internet, to be on top of all this right? Well Arkadiy Tetelman, an Airbnb security engineer has decided that he will answer the question for us all. He decided to run a script which took 11 whole hours to run and it gave us a very interesting answer. The script grabbed certificate information from the top million biggest sites on the internet in measured traffic by Alexa to see what and how many sites would be affected by the new Chrome changes.

And lets just say that there are going to be a lot of unhappy users when mid April comes around if these people do not get their sites fixed. But I think some people should be a little more upset at Symantec here. Because if they hadn’t messed up and played with the trust of their own product by giving certificates to sites that did not deserve it, they also caused their own death by incorrectly issuing the cert for google.com. Way to end your companies’ own game. So essentially, get checked if you run a website and better yet – if you need a cert, there are free ones. Just get it done.

Leave a Reply

 
© 2006-2018 Security magazine.