Choices You Need To Make If You Use Symantec Certificates


With online retailers soon locking down their code for the upcoming holiday season, one thing they surely will want to guarantee is shoppers aren’t discouraged from visiting their site. But that could be the case depending on who their digital certificate vendor is.

Doug Beattie, vice president of product management, GlobalSign, took time to speak with RetailITInsights.com about Symantec’s problems with Google and the impact to retailers who are Symantec customers.

Q: Why is Google distrusting Symantec certificates?

Beattie: Back in 2015, Google engineers discovered Symantec accidentally mis-issued 127 Secure Socket Layer (SSL) certificates. These certificates ensure that websites are secure. Then again in March of this year, Google revealed further investigations uncovered more problems for Symantec, alleging the company had mis-issued more than 30,000 certificates.

The situation became more complex in August when Symantec announced it was selling its web certificate business to Digicert. The result is that by December 1, all newly issued Symantec branded SSL certificates (Symantec, GeoTrust, Thawte, and RapidSSL) must be issued under a new PKI with new organizational and domain validations performed by non-Symantec employees.

Q: What do retailer that have Symantec certificates need to do?

Beattie: Retailers should get their certificates updated and installed now, before the holiday shopping season kicks in and have all organization and domain information revalidated by DigiCert prior to December 1. Revalidating all enterprises and their domains within a few months would be a large task for anyone, but for a smaller CA like DigiCert it could pose even more of a challenge. As a result, some customers could experience delays. The Symantec-Digicert deal is not expected to be final until the third quarter of fiscal 2018.

Q: What else should retailers do to keep their websites secure and not disrupt business?

Beattie: They’ll need to be certain their site is secure and they have a certificate that is valid well into 2018 (something they should always be on top of anyway). But with these new concerns around Symantec certificates, they will need to pay very close attention, especially if past experience indicates they may need some additional certificates to scale up for the shopping season.

Retailers should also be aware that Google Chrome will soon begin display warning messages when http pages load that request passwords and credit card information, so now it’s even more important to be sure all sites are secured. Be sure to check security of your site and TLS settings (you can do this at https://globalsign.ssllabs.com/).

Q: How can retailers limit the impact to holiday business and what should they to do if they want to switch to another certificate provider?

Beattie: Taking the appropriate proactive steps to avoid unpleasant issues down the road makes sense. To that end, now is a good time for retailers using Symantec certificates to take a close look at the changes and have a backup plan for certificates in the event not all of their information can be revalidated prior to December 1.

Other Certificate Authority’s (CAs), such as GlobalSign, can assist retailers looking to make the switch to another certificate provider as soon as possible. With just a day or two lead time, your account can be configured and ready to be used.

Q: What are other key dates retailers should keep their eye on?

Beattie: Following are the dates that Google has most recently published. For more details visit: https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html?m=1.

  • December 1, 2017: The existing Symantec PKI will cease operation and a new PKI structure will be put in place by DigiCert to issue Symantec branded certificates.
  • April, 2018: Google releases Chrome 66. With that version, Chrome will show SSL certificate errors for all Symantec certificates issued before June 1, 2016.
  • October 23, 2018: Chrome 70 is released to Stable. Google Chrome and Mozilla will distrust all certificates issued by Symantec's old infrastructure, including those issued up until December 1st, 2017. All Symantec certificates must be issued from the new infrastructure or they will not be trusted.