Does the Google/Symantec feud leave you on red alert?
The internet is turning red – or at least, the https security lock on Google Chrome, is. Back in March, there was a raging feud between two tech giants: Google and Symantec over the authentication of Symantec’s SSL/TLS certificates. If you haven’t heard, this has been a long running issue (since September 2015), with Google calling into question the validity and security of Symantec’s certificates – the ones that ensure your website is properly encrypted.
Just weeks ago, the feud exploded. In a blog post, Google Engineer, Ryan Sleevi ascribes somewhere between 127 and 30,000 events of certificate misissuance to Symantec and its network of brands, including GeoTrust, Thawte, and RapidSSL. The same blog post also includes Google’s intent to “deprecate and remove” SSL certificates issued by Symantec.
The three severe actions comprise:
1. Reducing the validity period of newly Symantec-issued certificates to nine months or less
2. An “incremental distrust” of all currently-trusted Symantec-issued certificates
3. And removal of the Extended Validation status of Symantec issued certificates for at least one year.
However, Symantec defended their position, calling Google’s claims “exaggerated and misleading,” and have pointed the finger back at Google, stating that the internet titan singled out Symantec. It’s true that other Certificate Authorities have been at fault. Recently, for example, WordFence discovered that Let’s Encrypt, the free, open, and automated CA, “has been used to create thousands of SSLs certificates for phishing sites illegally using ‘PayPal.”
But if Google follows through with its threats regarding Symantec, then anywhere between one-third and half of internet sites will be considered ‘insecure.’ This extremely public conversation between Google and Symantec, happening in real-time via blogs and forums, is calling to attention many issues for the digital community.
Linus Ekstrom, Vice President of Technology at Niteco, asserts, “The potential disruption of this prolonged feud is immense. Site-owners cannot wait until Google and Symantec come to a compromise; they need to take the necessary precautions to ensure their website’s security.”
But as the two giants battle it out, it’s the civilians who will be collateral. While customers well-versed in CAs can adapt easily, as these security issues are not unique only to Symantec’s network, other customers are trying to figure out their options as site owners.
How do you know if you’re affected?
With Symantec issuing 42% of the internet’s certificates, customers need to make sure their sites are properly secure and encrypted, otherwise their sites will receive the dreaded warning sign on Google Chrome. Visitors will be alerted to your website’s lack of security, and your brand is put at risk.
Previously, it was relatively simple to be able to see your website’s SSL certificate. You only had to click on the padlock icon in the address bar. But starting from Chrome 56 on, the way to check requires 5 clicks instead of 2:
1. Go to the Three Dots Menu
2. Click on More Tools
3. Find Developer Tools
4. Click on the Security tab
5. This will show you a Security Overview with a View Certificate Button.
This has more than a few power-users and developers upset at the cumbersome steps to display information. However, there is a small keyboard shortcut for steps 1-3.
For Windows users, press Ctrl+Shift+i, then choose the Security tab. On a Mac, press Cmd+Opt+i.
However you check it, the important question is this: Is your certificate issued by Symantec or one of Symantec’s acquired brands? Is your website security certificate at risk?
What more can you do?
Knowing your certificate is one thing, but a weak certificate is still a chink in your security armor. No one solution is 100% reliable, so you must take the necessary precautions to ensure your website is purchased from a trusted certificate.
“If you do need to get your SSL certificate updated, make sure it’s from a trusted and reputable source,” warns Tu Nguyen of Niteco’s IT team. “Other companies may take advantage of this opportunity to offer Symantec customers cheaper prices, but not necessarily deliver certificates that are up to standard.”
Be absolutely sure of your website’s security by using this free scanning tool from GoDaddy. It’s a quick and simple way to see if your site passes Chrome’s security checks.
While Chrome and other browsers take safety and security seriously, it takes time for malicious websites to show up on their radar. If a giant like Symantec (and others) can let even one false certificate slip through its fingers, you must take your site’s security in your own hands.