This article originally appeared in Search Security on October 12, 2018.
Mozilla delays plans to distrust Symantec TLS certificates in Firefox because despite more than one year’s notice, approximately 13,000 websites still use the insecure certificates.
The plan for Chrome and Firefox to distrust Symantec TLS certificates has been in place for more than one year, but Mozilla is delaying action at the last minute because too many sites still use the faulty certificates.
The formal plan to distrust Symantec TLS certificates was agreed upon by Google, Mozilla and the PKI community in July 2017 just before Symantec sold its certificate authority (CA) business to rival DigiCert. Google began distrusting existing Symantec certificates in April 2018 with the release of Chrome 66, while Firefox and Safari began a partial distrust in August. Google and Mozilla had plans for a full distrust of Symantec TLS certificates as of mid-October with Apple giving a more vague final time of fall 2018.
However, Mozilla announced this week it will delay the date of full distrust in Firefox from Oct. 23 until at least December because it feels too many websites haven’t yet replaced their Symantec TLS certificates.
“While the situation has been improving steadily, our latest data shows well over 1% of the top 1 million websites are still using a Symantec certificate that will be distrusted,” wrote Wayne Thayer, certification authority program manager at Mozilla, in a blog post. “It is unfortunate that so many website operators have waited to update their certificates, especially given that DigiCert is providing replacements for free. Given the current situation, we believe that delaying the release of this change until later this year when more sites have replaced their Symantec TLS certificates is in the overall best interest of our users.”
A spokesperson for Mozilla said the company understands there is a risk to users in delaying the distrust of Symantec TLS certificates, but added that although only approximately 13,000 of the top 1 million websites still use the risky certificates, those websites had considerable reach to end users. “This isn’t just a question of volume. It’s a question of reach of the sites that make up the 1%,” the spokesperson said.
Google declined to comment on Mozilla’s decision and instead pointed to its plans for distrusting Symantec TLS certificates, in which the final cutoff will be with Chrome 70 scheduled for release Oct. 16.
Symantec history and reaction
While the plans set out by Google and Mozilla to distrust Symantec TLS certificates have been in place since July 2017, Symantec’s CA was first sanctioned by Google for issuing improper certificates in 2015. Google’s Certificate Transparency project then found more than 100 improperly issued Symantec certificates in January 2017.
In March 2017, Google’s Chromium team said it found another 30,000 Symantec certificates that couldn’t be properly validated. Trouble became even worse in March 2018 when DigiCert announced plans to revoke 23,000 Symantec certificates because private keys had been exposed via certificate reseller Trustico.
Scott Helme, an independent security researcher based in Lancashire, U.K., said it was “a shame to see Mozilla stepping back the deadline on this action; after all, there was a very good reason the decision was made in the first place.”
“For any change we see like this on the internet — the recent deprecation of SHA-1 and migration to SHA-256 is a great example — there are always sites that for some reason do not migrate in time. I think with enough notice and outreach, as has been the case with the Symantec distrust, the change should be rolled out as planned,” Helme wrote via email.
Chris Olson, CEO of The Media Trust, said the process for a website to transition off of Symantec TLS certificates “should take no more than a few weeks.”
“[Mozilla is] likely only concerned about their users’ convenience,” Olson wrote via email. “By distrusting the certs, Mozilla is sending out a warning to their users, who will receive an error message on the screen that indicates the cert is not trusted.”
Mark Miller, director of enterprise security support at Venafi, said not all organizations have the right processes in place to make the switch efficiently.
“Distrusting the lion’s share of the certificates on the internet can be painful. And it’s especially painful for organizations that don’t have an automated way to replace their certificates. In fact, many organizations don’t even have a complete inventory of their machine identities,” Miller wrote via email. “However, by delaying our distrust deadlines we’re leaving the window open for more data to fly out. As security professionals, we need to be able to draw a line and stand behind it with confidence, but to do this organizations will need to prioritize their ability to respond to these kinds of events.”