Affecting Symantec, GeoTrust, RapidSSL, Thawte, Verisign certificates will all be distrusted in October 2018

Published: | Categories: Privacy & Security

Description

As the last step in the ongoing multi-vendor distrust actions against Symantec due to the various CA practice issues, Firefox 63 shipping October 23 will remove the trust in all the existing TLS server certificates issued by Symantec, including ones issued under the GeoTrust, RapidSSL, Thawte and Verisign brands. The same change will be made to Google Chrome 70 shipping October 16.

Firefox 58 and later have shown a console warning for the affected certificates, and Firefox 60 has already distrusted ones issued before June 2016. Firefox 63 and later will show the Insecure Connection error page for sites using a Symantec-issued certificate regardless of the issue date.

To avoid the unwanted error page, webmasters using any of these certificates have to replace it with a new one or obtain an alternative certificate from other CA as soon as possible. We recommend Let’s Encrypt that offers trusted certificates for free.

Update: The change has been made to Firefox Nightly on August 14, and affected sites are being tracked in Bug 1484006. Firefox Beta and Developer Edition will be updated with the change on September 25.

Update 2: Given that there are still many affected sites, Firefox 63 Beta 9 shipping September 25 is not enabling the distrust by default. Mozilla engineers are watching the situation closely to decide when they should enable it.

Update 3: Mozilla has officially announced that it will postpone the distrust to Firefox 64 Beta shipping in mid-October.

Update 4: The distrust is now enabled in Firefox 64 Beta. Webmasters still using one of affected certificates must act now.

References