On Tuesday 16th October, Google Chrome version 70 is expected to be released. In this new version HTTPS certificates issued by Symantec (and its subsidiaries like Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL) will be treated as invalid. Google have provided further details in their recent security blog.
While Google Chrome is the first browser to take action, other browsers are following suit, with Mozilla Firefox, Apple’s Safari, and Microsoft’s Internet Explorer and Edge expected to make the same change some time in the next few months. If your website uses a certificate affected by the change you should seek a new certificate issued by another provider urgently. This might also be a good time to catch up on my previous blog [Serve websites over HTTPS (always)] for some guidance around why HTTPS is so important.
Users of NCSC Web Check (currently available only to the UK public sector) affected by the change will have received a finding a month ago which will have become urgent last week. If you have one of these and haven’t yet got a new certificate you should do so urgently. If Web Check isn’t available to you, you can use Symantec’s service to check whether you’re affected.
Jamie H
Senior Security Researcher
Source: National Cyber Security Centre
