Google has finalized a schedule that, over the next 12 months, will send companies scrambling to replace the digital certificates that secure their websites or risk being viewed with suspicion by users running Chrome, the world's most popular browser.
"Companies are staring down the barrel of a boat load of work," said David Anthony Mahdi, a research director at Gartner, and the industry research firm's resident expert on digital certificates and the CAs (certificate authorities) that issue them. "This is massive."
Beginning with Chrome 66, currently set to show up the third week of April next year, Google will "remove trust in Symantec-issued certificates issued prior to June 1, 2016," wrote three members of the browser's security team, in a post to a company blog. "If you are a site operator with a certificate issued by a Symantec CA prior to June 1, 2016, then prior to the release of Chrome 66, you will need to replace the existing certificate with a new certificate from any Certificate Authority trusted by Chrome."
A follow-up version of Chrome, slated for debut a little more than a year from now, will untrust every Symantec certificate, no matter when it was issued. When Google removes trust from the certificates, users will begin seeing messages, some explicit, others subtler, informing them that the connection between them and the website is insecure.
During the year-long process that Google laid out this week, it will gradually untrust any certificate that chains to roots maintained by Symantec, including those issued by the brand-named CAs (certificate authorities) Symantec has swallowed over the years, like Equifax, GeoTrust, and, of course, VeriSign.
Here's the Google untrust calendar
Google's schedule looks like this:
Oct. 22-28, 2017: Google will release Chrome 62, which adds a new feature under the "Developer Tools" menu item (under the "View/Developer" menu) that shows affected certificates.
December 2017: DigiCert, which plans to buy Symantec's certificate business for nearly $1 billion, is supposed to have a new "Managed Partner Infrastructure" up and running this month, and be able to issue replacement certificates for those Chrome will untrust in 2018.
April 15-21, 2018: All Symantec-issued certificates obtained before June 1, 2016, will be marked as untrusted by Chrome 66, which will release during the week.
October 21-27, 2018: All certificates that chain to Symantec's pre-December 2017 rooted infrastructure will be untrusted by Chrome 70, slated to release this week.
Google vs. Symantec
The dispute between Google and Symantec that led to the former punishing the latter using Chrome as a club, has been months, years even, in the making.
First in 2015, then much more emphatically in early 2017, Google (and other browser developers, notably Mozilla) charged that Symantec and its partners were improperly issuing certificates, violating the rule set by the CA/Browser Forum, a standards groups whose members include browser makers and certificate authorities.
Google decided that Symantec's problems were endemic, and that the accumulating incidents were proof that the CA could not be trusted to issue the certificates that were, in fact, the basis of trustworthiness on the Web â proving that, say, a website is what it claims to be, and not a fake that would steal users' money or credentials or data.
That Google was able to force Symantec to comply with its demands, and then in early August actually sell its CA business to Utah-based DigiCert â withdrawing from the industry altogether â speaks to the power of the search giant, notably its Chrome browser. "Clearly, Google is very, very powerful," said Mahdi.
In this case, Google's power, "leverage" may be a better word, comes from the dominance of Chrome. According to metrics vendor Net Applications, Google accounted for nearly 60% of the world's browser user share, an estimate of the portion of the globe's personal computers that used Chrome to reach sites during August. Chrome's command of the browser market has been a relatively recent phenomenon: Google only passed Microsoft as the planet's most popular browser maker in May 2016.
If Google decided to untrust all Symantec certificates, site operators would have no choice but to replace those certificates. If they did not, they would risk losing a landslide majority of potential customers, who would be motivated to patronize rivals' websites secured by other CA certs. Notably, financial firms would face a hurricane of customer complaints when they were told to drop Chrome and pick another browser.
While Mozilla has raised similar complaints, Firefox's maker would almost certainly not have been able to pressure Symantec to radically change its CA practices and processes, simply because of that browser's place. In August, for instance, Net Applications pegged Firefox as having a global user share of just 12%, a fifth of Chrome's.
Although companies are staring at calendar dates as close as next spring, there is no clear direction yet from either Symantec or its successor, DigiCert, on the process of replacing the soon-to-be-untrusted certificates.
Gartner's Mahdi pointed out that he was in the dark as much as Symantec's CA customers, even after speaking with executives from both that firm and DigiCert.
"How are the certificates going to be migrated? What's the pricing going to look like?" Mahdi asked, citing unanswered questions that Gartner's clients have posed to him. "What clients want is a game plan."
Which they don't really have. Not yet.
Mahdi's advice at this point? Prepare, as one would when site certificates come up for renewal. "There are a lot of options," he said. "If you're a current Symantec customer, get a game plan from them as soon as they have one. Ask what kind of incentive they'll give to get you to stay.
"But there are competitors out there, such as Entrust, GlobalSign and Comodo," Mahdi said. "Certificates are a fairly commoditized market. People usually select [a vendor] based on price, brand and support. Look at least three providers, just as you would at renewal time."