Time to Replace Certs: After Google, Mozilla Will Also Distrust All Symantec Root Certificates with Firefox 63
Mozilla has announced its plans to distrust Symantec root certificates in Firefox 63 that will be released in October 2018. One of the largest and oldest Certification Authorities (CAs), Symantec has remained at the center of multiple controversies over wrongful issuance of certificates. While the company sold its CA business to DigiCert, Mozilla and many other believe that it won’t help since the same team would be in charge of certificate issuance.
“A Certification Authority (CA) is an organization that browser vendors (like Mozilla) trust to issue certificates to websites,” the Foundation said. “Last year, Mozilla published and discussed a set of issues with one of the oldest and largest CAs run by Symantec.”
The discussion resulted in the adoption of a consensus proposal to gradually remove trust in all Symantec TLS/SSL certificates from Firefox. The proposal includes a number of phases designed to minimize the impact of the change to Firefox users.
These phases include encouraging site owners to replace their TLS certificates with Firefox 58 (January 2018), showing an untrusted connection error in May this year with Firefox 60, and eventually distrusting Symantec root certificates (with the exception of certificates issued by Apple and Google subordinate CA) for website server TLS authentication with Firefox 63 in October, 2018.
“This change affects all Symantec brands including GeoTrust, RapidSSL, Thawte, and VeriSign,” the company said. “The change is already in effect in Firefox Nightly.”
Google had also detailed similar plans last year, announcing that it will stop trusting Symantec certificates with the release of Chrome 70 later this year. The company announced last week that it has already started the process of ending support for Symantec SSL/TLS certificates and requested immediate action from site operators.