A browser will check the validity of a SSL certificate in order to confirm the validity of the website being loaded. This is done by validating a chain of trust. Certificate Authorities will guarantee the certificates they issue, along with the bona fides of any secondary issuing authority that is operating under their umbrella. A very rigorous process is needed to validate any entity that wishes to obtain a certificate.
In 2016, users became aware that Symantec (and their supported issuers) was issuing certificates in contravention of the established guidelines and posted their finding to a Mozilla security mailing list. After considerable discussion among the other CAs, a decision was made to distrust Symantec and to remove it as a CA.
The final announcement to distrust Symantec certificates was made in late 2017 and all Symantec certificate holders were given a year to replace their SSL certificates with one from an issuer who was trusted. The "distrust" also applies to certificates from Thawte, Geotrust and RapidSSL, all of which used Symantec as a central authority.
|
|
Digicert has acquired the Symantec CA and has been re-issuing certificates without charge. Anyone who has already begun this process, need to take no further action as the replacement certificate will be trusted by all browsers.
According to Mozilla, about 3.5% of the top one million websites are still secured with certificates that will no longer be trusted, despite extensive warnings. If anyone has access to Firefox Nightly or Chrome Canary, the standard "Invalid Certificate" warning will most likely be seen, rather than the actual website.
iTWire has been unable to find an official statement from Microsoft about its position on this issue and whether IE and Edge will continue to support Symantec certificates after their distruxt by Firefox and Chrome.
