Symantec has fallen out of the good graces of the InfoSec community, and the larger companies in Silicon Valley are taking action. As Bleeping Computer reports, Mozilla’s Firefox Nightly will release a beta version in early September that recognizes Symantec TLS certs as a security risk. When a user accesses websites with Symantec certificates, they will be met with a message informing that their connection isn’t private. Additionally, Google has set up its September beta release of Chrome 70 Canary to give a similar warning to its users who land on Symantec TLS encrypted pages.
The move comes after a July investigation conducted by Google and Mozilla engineers showed that Symantec did not consistently follow the regulations for TLS issuing. As Bleeping Computer notes, this set of actions on the part of Google and Mozilla is the final step in fully legitimizing Symantec certificates, with the first step being Symantec “demoting itself from the position of Root Certificate Authority to that of a Subordinate Certificate Authority that abides by the rules of a different party.”
The Bleeping Computer report notes that another issue that browser creators are running into is the sheer amount of major sites that have not moved away from Symantec. A list of the organizations that have not replaced their certs includes the following:
Sony PlayStation Store, Navy Federal Credit Union’s online banking page, First National Bank of Pennsylvania’s online banking, Estonian LHV Bank, Canadian telecom Freedom, La Banque Postale, La Banque Populaire Val de France, First National Bank in South Africa and Intel’s Japanese website.
Another issue is that the Symantec certificates issues are not just restricted to Symantec but to all of its affiliates. This includes GeoTrust, Thawte, and RapidSSL. As a whole, this mess is being mitigated as best as it can possibly be under the circumstances. Proper SSL/TLS certifications are an essential component to keeping users safe thanks to the encryption they provide.
Featured image: Wikimedia