Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Chrome Distrusts SSL Certificates

DZone's Guide to

Chrome Distrusts SSL Certificates

Google recently announced that it will start distrusting certain types of SSL certificates in the near future. Read on to get a dev's perspective.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

One of the websites I have been working on has been displaying an error in the console. The error reads as follows.

The SSL certificate used to load resources from https://example.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information.

But what does this mean? Well, let's start by looking at the link provided.

In January 2017, it was revealed that Certificate Authorities run by Symantec which include Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL had been issuing certificates that did not comply with baseline standards.

Starting with Chrome 66, Google has decided to remove trust for these certificates. Chrome 66 is due for release around the 17th of April. My error mentions M70 so what does that refer to?

Chrome 70 which is due to be released in October 2018 will remove the trust for another batch of Symantec certificates.

If you are getting one of these errors because you are using a certificate that is going to be distrusted what will your site look like in Chrome 66 or Chrome 70?

Well, Chrome 66 is now on the dev channel so we can give it a try.

Not very nice for your users is it? Now is the time to order a new SSL certificate to avoid this happening to your site.

I first saw this error a few months ago and have been reading up about it and waiting for Chrome 66 to reach the dev channel so I could test what it did to my site. However, now that I have Chrome 66 installed I spotted the intranet for the company I work for is also affected. I do not directly work on the intranet so I notified the security team that they may want to look into this.

Unfortunately, the response I received has been that Google needs to fix this before Chrome 66 is released. I am not criticising my employer or the security team, however, this isn't something Google can just "fix."

The certificates issued were issued by a CA that had issues so in order to maintain the trustworthiness of all certificates Google had little choice but to distrust them. Google and security experts need to be making more of a fuss about this and I am joining in on making a fuss by writing this blog. Scott Helme estimates that there are about 7000 websites which may be affected by the M66 and M70 distrusts.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
security ,ssl ,google chrome

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}