Chrome 66 is released today and the stable version will be rolling out to all users. This version comes with new security features including the first step in Chrome distrusting Symantec SSL certificates.
Chrome to distrust Symantec certificates issued before June 2016
Chrome will no longer trust Symantec SSL certs. issued before June 2016. This comes after a long dispute in how Symantec and it’s various brand names (Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL) handled issuing of SSL certificates.
The distrust will result in an SSL warning when visiting the website, such as the screenshot below. You may notice an increase in these warnings as thousands of websites are yet to update despite plenty of warning from Chrome and Symantec. If you see this warning and need to access the site you may need to load it in another browser.
NZ sites in Alexa top 1 Million affected
Some of the NZ sites in the Alexa top 1 million website are yet to update certificates, including:
https://jbhifi.co.nz (only the www version has been updated)
The second stage will see Chrome distrust all Symantec certificates in October 2018. This stage will see a lot more NZ sites affected with potentially 1000’s of website owners yet to change their certificate. Firefox will follow suit in it’s May release and again in October for distrusting of all Symantec certificates.
If you believe you have a Symantec certificate and wish to check for Chrome distrust use the Symantec SSL checker tool.
Note: WP Charged uses Let’s Encrypt for issuing SSL certificates and customer’s websites will not be affected by this. All websites hosted on WP Charged have also been manually checked for third party scripts that use Symantec certs.
Other Chrome features on this release include:
- Autoplaying videos will be muted by default unless the website is frequented often.
- New ‘Site isolation’ feature will help mitigate risk of side-channel attacks
- For developers: Pretty printing in the preview tab in developer tools.