Blog post

Taking a Shine off Certificates

Created:  15 Oct 2018
Updated:  15 Oct 2018
Author:  Jamie H
padlock

On Tuesday 16th October, Google Chrome version 70 is expected to be released. In this new version HTTPS certificates issued by Symantec (and its subsidiaries like Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL) will be treated as invalid. Google have provided further details in their recent security blog.

While Google Chrome is the first browser to take action, other browsers are following suit, with Mozilla FirefoxApple's Safari, and Microsoft's Internet Explorer and Edge expected to make the same change some time in the next few months. If your website uses a certificate affected by the change you should seek a new certificate issued by another provider urgently. This might also be a good time to catch up on my previous blog [Serve websites over HTTPS (always)] for some guidance around why HTTPS is so important.

Users of NCSC Web Check (currently available only to the UK public sector) affected by the change will have received a finding a month ago which will have become urgent last week. If you have one of these and haven't yet got a new certificate you should do so urgently. If Web Check isn't available to you, you can use Symantec's service to check whether you're affected.

Jamie H
Senior Security Researcher

1 comment

David L - 15 Oct 2018
It may be worth pointing out that certificates acquired from Symantec and subsidiaries more recently WILL continue to be valid as they now have a (trusted) signing authority of DigiCert; the Symantec service link in the blog will check whether any certificate showing as Symantec, Thawte, GeoTrust or RapidSSL is valid.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No