Symantec & Partner Certificate Warnings

Larry LACa

unread,

Dec 1, 2017, 8:24:57 PM12/1/17

to Google Chrome Developer Tools

Beginning with Chrome 66, Chrome will distrust (root) certs issued by Symantec (and partners) issued before 6/1/16.

Beginning with Chrome 62 DevTools will provide warnings for impacted sites/certs. Additional restrictions apply for Chrome 70.

What do the warnings look like?

What are the parameters for triggering the warnings?

How wide is the partner net?

Is there a demo site, like badssl, that will trigger the warnings?

See the 9/11 Goggle Security blog for details

https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html

Larry LACa

unread,

Dec 5, 2017, 3:21:51 PM12/5/17

to Google Chrome Developer Tools

Correction: the distrust applies to site certs, with Symantec & partner CA's. The distrust doesn't apply directly to root certs, as I previously stated/understood. Logically the two distrust patterns are very similar: if you distrust all the site certs issued by a CA, it's very similar to distrusting the CA itself.

The warnings appear as !Warnings on the top taskbar, in the console, and look like:

The SSL certificate used to load resources from https://… will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information.

The link goes to the 9/11 Google Security Blog article given in my first post.

Although the warning refs M70, some certs will be distrusted as early as M66, see the 9/11 article.

I've only seen one warning message. There may be variants for related cases.

Here are two sites mentioned in the Chrome Help forum that, as of 12/5, triggered the alerts. When the sites update their certs (which may be soon) the warnings won't appear.

https://www.gojane.com/
https://www.gojane.com/

ASFAIK: The gate for triggering the distrust and warnings are specific to Chrome. Other browsers are implementing similar restrictions. I haven't seen a statement of the logic triggering the warnings, other than the descriptions in the 9/11 article. This 8/29 AKAMAI article talks about their CDN update details, and highlights some of the internal issues.

https://community.akamai.com/community/web-performance/blog/2017/08/29/google-symantec-subca-transition.

Kayce Basques

unread,

Dec 6, 2017, 1:44:31 PM12/6/17

to Google Chrome Developer Tools

Sorry, I didn't see that you had already created a thread on this topic. Let's consolidate the discussion over at https://groups.google.com/forum/#!topic/google-chrome-developer-tools/QWgY65oGH64

Reply all

Reply to author

Forward