ARE YOU READY FOR THE SYMANTEC, GEOTRUST, THAWTE & RAPIDSSL DISTRUST?
|by Scott Helme,
Information Security Consultant
It's been common knowledge in the wider PKI community that Symantec, the Certificate Authority, is currently being distrusted and will soon cease to exist as a CA. My worry is that the wider community doesn't seem fully prepared for the distrust and the impact it will have.
There is a whole, big (really big) back story to Symantec being distrusted by the browsers but it can be distilled down to the fact that they did some things that made the browsers lose faith in them, they issued certificates that they should not have issued. You can read Chrome’s Plan to Distrust Symantec Certificates and the long thread on Mozilla's Dev Security Policy mailing list about exactly why, but one way or another Symantec will cease to exist as a CA. Despite sanctions like Google requiring Certificate Transparency compliance from Symantec ahead of the requirement for all other CAs, it seems there was no coming back and Symantec sold off their entire CA business to DigiCert and will exit the market. This is a problem for site operators because they now need to find a new CA, which will hopefully be a lot easier now they can transition to TRUSTZONE, but the bigger issue is that if you're using an existing Symantec certificate you need to replace it, and this is where things get interesting.
There are two deadlines by which sites need to take action and they depend on when you got your Symantec SSL certificate. If the certificate was issued prior to 1st June 2016 it will stop working with the Chrome Beta 66 release March 15, 2018 and if you have any other Symantec SSL certificate it will stop working with the Chrome Beta 70 release in September 2018. Prompted by other research I had seen online I thought I had put my crawler data to good use and see what further analysis I could do with it.
WHO IS STILL USING SYMANTEC CERTS
After creating a script to go through the certificates collected by my crawlers I can parse them all and see who is still using a Symantec SSL certificate that will be distrusted. I have broken the list down into 2 separate files; the sites using certificates that will be distrusted in m70 and the sites who will have their certificate distrusted in m66 who need to take more immediate action. You can see the code over on my GitHub repo and the two files that contain the lists of sites are m66.csv and m70.csv respectively.
THE M66 DISTRUST
I am currently seeing 1,321 sites in the Alexa Top 1 Million that will have their current certificate distrusted in April. That's a pretty large number and with less than 2 months to go, I hope they're already underway with replacing the certs.
THE M70 DISTRUST
For M70 the numbers are slightly higher, as you would expect, and I am seeing 6,882 sites that will have their certificates stop working in September 2018. That is a much more acceptable timeframe and I will track the numbers as we go.
A basic database query
The above numbers were acquired by parsing the SSL certificates that were collected and looking for ones that chain to a blacklisted Symantec root. Another much more simple approach is to look for instances of 'Symantec' in the name of the CA.
SELECT ca, count(ca) FROM `results` WHERE ca LIKE '%Symantec%' GROUP BY ca ORDER BY count(ca) DESC
That gives me the following list.
C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
C = US, O = Symantec Corporation, OU = Symantec Trust Network, OU = Domain Validated SSL, CN = Symantec Basic DV SSL CA - G2
C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 EV SSL CA - G3
C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 ECC 256 bit SSL CA - G2
C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server SHA256 SSL CA
C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Extended Validation SHA256 SSL CA
C = US, O = Symantec Corporation, OU = Symantec Trust Network, OU = Domain Validated SSL, CN = Symantec Basic DV SSL CA - G1
C = CN, O = "TrustAsia Technologies, Inc.", OU = Symantec Trust Network, OU = Domain Validated SSL, CN = TrustAsia DV SSL CA - G5
C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 ECC 256 bit EV CA - G2
C = US, O = Wells Fargo, OU = Symantec Trust Network, CN = Wells Fargo Certificate Authority WS1
C = US, O = Oracle Corporation, OU = Symantec Trust Network, CN = Oracle SSL CA - G2
C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 EV SSL CA - G2
One way or another, that is still an awful lot of Symantec issued certificates...
CHECK THE LIST
It will be worth taking a look through the lists and seeing if your site is on there and if it is, make plans to remove it! As the script can be run against my daily crawl data it will be easy to keep this up to date and to monitor it as we get closer. Perhaps in the last week or two it might be worth reaching out to organisations publicly to see if they are aware of the impending change. To confirm if a site is affected you can visit it in the latest version of Chrome and check the console for an error message:
The other great thing to note from that example is that my scans only hit the apex domain on http and follow redirects to completion, meaning there will be many more sites that have a Symantec SSL certificate that will be affected but do not currently redirect to it. I also will not pick up resources on the page loaded from subdomains or other 3rd party domains that are impacted by this distrust. I guess the point is that this is only the tip of the iceberg and there are a lot more sites out there that will be affected.
If you have any questions, or if you would like to contact TRUSTZONE, please call us +45 88 33 10 00. Our experts are ready to answer your questions and will respond the same day (on weekdays). TRUSTZONE is looking forward to helping you so you are ready for Symantec Distrust.