You may have heard about Google’s intent to distrust Symantec certificates. But you might not know what that actually means for your organization. Ultimately, you will have to find, replace, and validate all certificates in your organization that chain up to a Symantec root. And you’ll have to do it all sooner than later, before your websites are flagged as untrusted.
Here’s how we got to this point. On 23 March 2017, Google staff software engineer Ryan Sleevi announced that the Chrome team had observed a "series of failures by Symantec Corporation to properly validate certificates." The mis-issuance originally involved just 127 certificates issued by Symantec, an American software security company which also manages its own Certificate Authority (CA). However, further investigation revealed that the failures applied to at least 30,000 certificates.
Google responded by proposing "an incremental distrust, spanning a series of Google Chrome releases, of all currently-trusted Symantec-issued certificates, requiring they be revalidated and replaced." Users will have until 15 March 2018 to replace any Transport Layer Security (TLS) certificates issued by Symantec prior to 1 June 2016. They can do so by purchasing a new certificate from the Norton anti-virus software provider or from another reputable CA.
How will this impact your organization? Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, thinks that's easier said than done for some organizations. As he wrote in a blog post:
"This is a giant wake-up call for every business. Most organizations don’t have the agility required to move, add or change certificates, keys or CAs in response to external issues like this one. The best possible outcome is that businesses will realize they are going to have to figure out how to deal with not just this issue, but other issues like it. The only other alternative is to be victimized by these events."
Organizations wishing to meet Chrome's demands must have the ability to find every installation of all certificates that chain up to Symantec. That means they will need to locate certificates from potentially dozens of CAs from which they've purchased a digital certificate. Such a process would consume significant time and resources if performed manually.
What you can do about it?
Fortunately, companies can save themselves unnecessary effort using TLS Protect Cloud. The solution provides customers with a list certificates issued by a given CA as well as the installation locations of all electronic documents that chain up to a that CA's root certificate. With this knowledge, organizations can begin requesting replacement certificates manually, or they can configure TLS Protect Cloud to automate the replacement certificate issuance process through Venafi's integrations with SaltStack, Docker, or Terraform DevOps. Whichever replacement method they choose, enterprises will spare themselves potential downtime, associated brand damage, and lost revenue.