The Death of Symantec’s Digital Certificate Business

Certificate Authentication is a serious business; it is a business entity that keeps the trust-based digital certificate system secure. The very foundation of the encryption standard in the web we have today. One wrong move and the certificate authority loses the business and exits the digital certificate market, no exemptions. Following the demise of the user to be a popular certificate authority, DigiNotar in Sep 2011, Symantec is exiting the TLS certificate business due to its exposed shady practices.

Symantec sells digital certificate under the brand: Symantec, RapidSSL, Geotrust, and Thawte. Its business establishment will be defunct in favor of the highly trusted certificate authority: Digicert. The pressure comes from the top two browsers: Google Chrome and Mozilla Firefox, starting October 2018, all digital certificate issued under the brands: Symantec, RapidSSL, Geotrust, and Thawte will be denied by the two browsers mentioned.

“Firefox 60 (the current release) displays an “untrusted connection” error for any website using a TLS/SSL certificate issued before June 1, 2016, that chains up to a Symantec root certificate. This is part of the consensus proposal for removing trust in Symantec TLS certificates that Mozilla adopted in 2017. This proposal was also adopted by the Google Chrome team, and more recently Apple announced their plan to distrust Symantec TLS certificates. As previously stated, DigiCert’s acquisition of Symantec’s Certification Authority has not changed these plans,” explained Wayne Thayer, the Certificate Authority Program Manager at Mozilla in their official blog.

“The next phase of the consensus plan is to distrust any TLS certificate that chains up to a Symantec root, regardless of when it was issued (note that there is a small exception for TLS certificates issued by a few intermediate certificates that are managed by certain companies, and this phase does not affect S/MIME certificates). This change is scheduled for Firefox 63, with the following planned release dates: Beta – September 5, Release – October 23,” Thayer further explained.

Mozilla has warned site owners to not force the issue of keeping Symantec certificates, as Firefox will no longer trust it. Users will never be able to visit sites with an invalid digital certificate, hence literally canceling web traffic for the site questioned.

Google in their part has done the same thing, endorsing the same actions against Symantec-issue certificates: “Starting in Chrome 70, all remaining Symantec SSL/TLS certificates will stop working, resulting in a certificate error like the one shown above. To check if your certificate will be affected, visit your site in Chrome today and open up DevTools. If the certificates are not replaced, users will begin seeing certificate errors on your site as early as July 20, 2018. The first Chrome 70 Beta release will be around September 13, 2018,” said a Google Chrome engineer in the Chromium official blog.

Digicert, being the successor for Symantec has been sympathetic to Symantec’s customers and expressed willingness to help with the transition: “DigiCert has offered free replacements for holders of affected certificates, which extends trust on DigiCert roots through the end of the original validity period. We have been working hard to make sure customers are informed and have the tools necessary to keep trust in their certificate deployments. As of today, the large majority of affected customers have taken corrective action and will enjoy continued trust in their HTTPS operations without interruption.”