Chrome 66 e diffida della PKI Symantec

Come annunciato nel post Chrome’s Plan to Distrust Symantec Certificates del 11 Settembre 2017 Chrome con la versione 66 schedulato e rilasciato ad Aprile 2018 non ritiene fidati e quindi validi i certificati rilasciati dalle CA di Symantec e dalle relative sub CA prima del 1 giugno 2016:

“Starting with Chrome 66, Chrome will remove trust in Symantec-issued certificates issued prior to June 1, 2016. Chrome 66 is currently scheduled to be released to Chrome Beta users on March 15, 2018 and to Chrome Stable users around April 17, 2018.”

Tale decisione è stata presa in seguito ad un incidente del 2015 descritto nel post Sustaining Digital Certificate Security del 28 Ottobre 2015:

“Following our notification, Symantec published a report in response to our inquiries and disclosed that 23 test certificates had been issued without the domain owner’s knowledge covering five organizations, including Google and Opera.”

“Symantec performed another audit and, on October 12th, announced that they had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered.”

Tale decisione è poi stata ribadita nel post Distrust of the Symantec PKI: Immediate action needed by site operators del 7 Marzo 2018 dove si annuncia che con la versione 70 di Chrome, schedualata per il 16 Ottobre 2018, saranno ritenuti non validi tutti i certificati rilasciati dalle CA di Symantec e dalle relative sub CA quindi anche quelli emessi dopo il 1 giugno 2016:

“We previously announced plans to deprecate Chrome’s trust in the Symantec certificate authority (including Symantec-owned brands like Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL). This post outlines how site operators can determine if they’re affected by this deprecation, and if so, what needs to be done and by when. Failure to replace these certificates will result in site breakage in upcoming versions of major browsers, including Chrome.”

“If your site is using a SSL/TLS certificate from Symantec that was issued before June 1, 2016, it will stop functioning in Chrome 66, which could already be impacting your users.”

“Starting in Chrome 70, all remaining Symantec SSL/TLS certificates will stop working, resulting in a certificate error like the one shown above.”

Anche Il team di Mozilla che il 19 Gennaio 2017 aveva segnalata il problema dell’emissione di certificati non autorizzati nella discussione Misissued/Suspicious Symantec Certificates ha dichiarato nel port Distrust of Symantec TLS Certificates del 12 Marzo 2018 che intraprenderà azioni analoghe per quanto riguarda il browser Firefox:

“January 2018 (Firefox 58): Notices in the Browser Console warn about Symantec certificates issued before 2016-06-01, to encourage site owners to replace their TLS certificates.”

“May 2018 (Firefox 60): Websites will show an untrusted connection error if they use a TLS certificate issued before 2016-06-01 that chains up to a Symantec root certificate.”

“October 2018 (Firefox 63): Distrust of Symantec root certificates for website server TLS authentication.”

“In Firefox 63, trust will be removed for all Symantec TLS certificates regardless of the date issued (with the exception of certificates issued by Apple and Google subordinate CAs as described above).”