Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Mozilla Delays Distrust of Symantec Certificates

Mozilla this week announced that the distrust of older Symantec certificates, initially planned for

Mozilla this week announced that the distrust of older Symantec certificates, initially planned for Firefox 63, will be delayed.

Following a long series of problems regarding the wrongful issuance of certificates issued by the Certification Authority (CA) run by Symantec, one of the oldest and largest CAs, browser makers have decided to remove trust in all Symantec-issued certificates before the end of this year.

Both Google and Mozilla said they would gradually remove trust in all TLS/SSL certificates issed by Symantec. Google, which removed trust in certificates that Symantec issued before June 1, 2016, with the release of Chrome 66 in April, wants to remove trust in all Symantec certificates in Chrome 70.

Mozilla was aiming at making a similar move in October 2018, with the release of Firefox 63, but now says it has decided to delay the distrust plans. The browser is currently only warning users when encountering a website that uses a Symantec-issued certificate.

According to the browser maker, it took this decision after learning that well over 1% of the top 1,000,000 websites still use Symantec certificates, meaning that impact on users would be much greater than initially anticipated.

Last year, Symantec sold its CA business
to DigiCert, which immediately started issuing new certificates to replace those issued by Symantec. In March,
DigiCert said it had replaced most of the Symantec-issued certificates and that less than 1% of the top 1 million websites hadn’t made the switch yet.

As it turns out, many popular sites are still using Symantec certificates, apparently unaware of the planned distrust. Others, Mozilla says, are likely waiting until Chrome 70 arrives on October 23 to finally replace their Symantec certificates.

“Unfortunately, because so many sites have not yet taken action, moving this change from Firefox 63 Nightly into Beta would impact a significant number of our users. It is unfortunate that so many website operators have waited to update their certificates, especially given that DigiCert is providing replacements for free,” Mozilla’s Wayne Thayer notes.

Advertisement. Scroll to continue reading.

He says that Mozilla is well aware of the additional risk caused by a delay in the implementation of the distrust plan, but also points out that the delay is in the best interest of Firefox users, given the current situation.

The distrust, however, continues to be planned for later this year, when more sites have replaced their Symantec TLS certificates. Firefox 63 Nightly is already distrusting Symantec-issued certificates, but the change won’t be implemented in Firefox 63 Beta, but Firefox 64 Beta instead.

“We continue to strongly encourage website operators to replace Symantec TLS certificates immediately. Doing so improves the security of their websites and allows the 10’s of thousands of Firefox Nightly users to access them,” Thayer concludes.

Related: Mozilla Announces Root Store Policy Update

Related: Mozilla Reinforces Commitment to Distrust Symantec Certificates

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...