On 16th October 2018, Google released an update to their Chrome browser. One of the new features to this update is the distrust of SSL certificates issued by Symantec or one of their subsidiaries. Later this year, Mozilla plans to update their Firefox browser with a similar feature.
If your website is secured with a Symantec certificate, your business could suffer greatly because of this change. Please read on to find out why.
What's An SSL Certificate?
Simple Answer (Short But Slightly Inaccurate)
An SSL certificate is the thing that makes a website address start with this:
Instead of this:
The "s" in the first example stands for "secure".
An SSL certificate also puts a padlock symbol in the address bar of a browser, which reassures website visitors that their credit card details won’t get stolen when they make a purchase from the site.
Complex Answer (Long But More Accurate)
An SSL certificate is a digital certificate of authenticity for a website. It confirms the website’s identity and encrypts the transmission of private information (i.e. bank/card details) sent from a browser to a web server using a technology called Secure Sockets Layer (SSL).
Whenever an internet user attempts to send private information over the web, the user’s browser checks the web server for an SSL certificate. If it finds a certificate, it then checks that it’s valid and has not passed its expiry date. If the certificate is valid, a secure connection is established between the browser and the web server to protect the information being transmitted. If the certificate is invalid or missing, the information can still be transmitted (at the user’s own risk) but the transaction will not be secure.
An SSL certificate is issued by an organisation called a Certificate Authority (CA). For an SSL certificate to be effective, the CA that issued it must be trusted by browser vendors like Google (Chrome), Mozilla (Firefox), and Apple (Safari).
Why Are Symantec Certificates Distrusted?
To keep a very long (and boring) story short, there have been some problems with certificates issued by Symantec and its subsidiary CAs. This has led to the distrust of Symantec SSL certificates by all major web browser vendors.
How Do I know If My Website is Affected?
Chances are that if your website is affected you’ll already know, especially if you run an e-commerce website. You would most certainly have noticed a drop in online sales (because who would really purchase from an insecure website) or an influx of customer queries/complaints about a browser message saying that your website is not secure.
The easiest way to check is to do the following:
If you don’t get an error message about an insecure connection, then your website is probably fine.
The most definitive way to check is to use Digicert’s SSL Certificate Checker. Put your website’s address into the checker and it will give you a detailed report of your SSL certificate information, including the CA that issued it. If it was issued by any of the following CAs, then you should replace it right away:
You can also use this SSL Checker (also by Digicert). It won't give you as much information as the other SSL checker but it will tell you if your certificate was issued by one of the aforementioned CAs.
If My Website Is Affected, What Should I Do?
Symantec sold its CA business to Digicert in 2017 who have been reissuing problem certificates since then but if you still have a “dodgy” certificate, you can replace it for free.
Comment & Share
© Copyright Martin Riley T/A Quantum Consultancy Services 2019, all rights reserved