Symantec SSL Certificates: Do Browsers Trust Your ‘Secure’ Site? | Chris Philpot | RocketMill

Good afternoon RocketMill, this is my first presentation as part of Forefront, so let's get our very best game show ‘oohs ‘and ‘aahs’ going on We have new graphics

We have a new set I have a new flower…which, reading the room, was a bad idea But we still have the same old technical SEO head pontificated for the next 10 minutes, so I apologise in advance Now, to today's main topic, which is ‘Symantec SSL certificates: Do browsers trust your ‘secure’ site?’ Google has lost trust in a third of SSL certificates Google has lost trust in a third of SSL certificates Now, to give you an idea of what that means, I'd like to take this mumbo-jumbo technical language out of context and imagine a hypothetical scenario in which the UK votes to leave the EU

Unrealistic, I know Ironically, notice this sticker is on the back of a Volvo, made in Sweden, but there we go Just imagine this hypothetical scenario and extend it to say that France stopped respecting any driving licence issued by the DVLA They decide that, actually, if you're a holidaymaker, you have to pass a driving test in France before you are allowed to panic about priorité à droite This is pretty much what happened last year, because browsers lost trust in Symantec, who have issued a roughly one in three SSL certificates on the web

Roughly one in three sites use an SSL certificate, provided by Symantec Google Chrome have announced that they are going to remove trust in Symantec SSL certificates, and Mozilla Firefox, another popular browser, has followed suit A guide to SSL certificates If you don't know your SSL from your BLT, here is a beginner's guide to SSL certificates I'm going to cover what one is, how they work and, crucially, who is allowed to issue them What is an SSL certificate? SSL stands for ‘secure sockets layer’, which is a security technology on the web

An SSL certificate, also known as a digital certificate, is something you would install on your web server to authenticate your site and prove it is legitimate and not a dodgy lookalike You buy it, you install it, and it works until the expiry date of the certificate, just like a domain name expires, or indeed, a sandwich How they work This activates HTTPS, which allows secure, encrypted communication between your web server, which hosts the web site, and your browser, which is the software on your computer which requests the web pages on that site Who can issue them? Now, to protect web users, browsers only trust SSL certificates issued by trusted certificate authorities, or CAs Popular CAs include Comodo, DigiCert, Let's Encrypt, and right about there, Symantec, who actually are behind the scenes on four of these brands, GeoTrust, RapidSSL, and thawte as well

That's the important thing, because browsers have lost trust in all Symantec SSL certificates that were issued during a set period The reason being that Symantec were alleged to have broken industry rules and mis-issued some SSL certificates Why Google has lost trust in Symantec SSL certificates Symantec acknowledges that a former partner business issued certificates without proper domain ownership verification, and it says there were 127 cases where this happened, and these did not harm any consumers However, Google reckon the number is rather bigger In fact, they say there's at least 30,000 certificates which were issued over several years by Symantec partners

Symantec dispute the number, but Google is sticking to its guns and distrusting them anyway What is going to happen? What is going to happen to Symantec SSL certificates? First things first, this had a business implication that DigiCert basically bought Symantec's web security arm and has now taken responsibility for issuing Symantec certificates in their name, but it's DigiCert behind the scenes Google Chrome is going ahead and it's removing trust in all Symantec certificates this year, I'll tell you the schedule shortly, with Mozilla Firefox sticking to the same schedule for the benefit of web site owners Basically, they don't have to work to differing time scales depending on the browser This is going to affect sites using Symantec SSL certificates or, indeed, referencing third-party services secured by Symantec

It's going to start in March 2018 with the launch of Chrome version 66, and it's going to end in September with the launch of Chrome 70, depending on the time scale within which the certificate was purchased What will happen if your site uses a Symantec SSL certificate What will happen if your web site uses a Symantec SSL certificate? In a nutshell, browsers are going to block users from accessing your content, decimating your traffic, or they will block features of your page This is what will happen in Google Chrome It will interrupt the user with a full-page warning message, a lot like this one The user will have to jump through hoops to access the page, and frankly, 99

9% recurring aren't going to bother They're not going to risk it Your traffic's going to plummet, and your rankings are likely to follow You'll get a very similar message in Firefox It will also interrupt the user with a full-screen interstitial

Now, if you reference third-party code, which also uses an affected URL or references an affected URL; so if you have a plugin, if you have a tracking code on your site that uses an SSL certificate provided by Symantec during the set periods to secure it, then browsers are probably going to block it from working, and that will make your page incomplete Now, in the unlikely event the user wants to run the script, it will be a mixed script and you'll get a message a bit like this one, where you get a cross sign through the ‘HTTPS’ in the address bar Your page will no longer be completely secure How to check your providers It's crucial to get ahead of these changes and check your site for affected Symantec SSL certificates Here is how to check your SSL certificate providers

Use a third-party tool One of the first ways to do so is to use a third-party tool, this is SSLChecker, to view your certificate chain It affects the layering in which certificates are issued It will show you who you have secured your site with and who underwrites their certificates, in effect If you see GeoTrust, RapidSSL, Symantec, or Thawte, there's a good chance you need to act if you haven't updated your certificate very recently Here are a couple of other tools which work in exactly the same way

Just type in your domain and it will show you your certificate chains One from SSL Shopper and one from DigiCert themselves Via Chrome Alternatively, if you are running an up-to-date version of Google Chrome, the web browser, it is going to inject details of affected SSL certificates into the console log, which is a bit like a scribble pad for web developers It's a place for them to effectively ask for feedback from the browser about the page If you go into your site in Chrome, and you need to hit Control-Shift-I if you're on Windows or Command-Shift-I on a Mac, and you'll get a list of affected certificates in the console

You can see I've run this on rocketmillcouk and we are affected About a third of the web is, so this is nothing to be worried about You are not in isolation, but you do need to act

Importantly, if you look there, it doesn't only affect your first-party certificates, ie, the one we've used to secure rocketmillcouk

If you are using ad networks, analytics, remarketing, live chat, sharing plugins, reviews – this is not an exhaustive list by any means – popular services, which have secured their URLs using Symantec SSL certificates from this period, could affect your security So you need to make sure you audit your site for these, make sure these services are updating your SSL certificates, encourage them to do so, and if they don't do so, potentially remove their code What to do if your website is affected To summarise, what should you do if your web site is affected? If you are affected by Google Chrome and Firefox distrusting older Symantec SSL certificates, first things first, if you are using a first-party certificate to secure your site, you can, if you want to, just renew your SSL certificate now It was based on DigiCert's infrastructure, and browsers will then trust the certificate until its expiry date Or you can choose to replace your SSL certificate with a new issue from a new certificate authority, one that's trusted by popular browsers

Up to you if you fancy a clean slate Alternatively, if you are including a third-party code snippet, again, you need to find out whether the provider is aware of these changes, they definitely should be, and what they plan to do about it If they're in the dark, or if they have no plans to update before the deadlines, you need to consider removing the code from the site, or at least know the implications if you don't Hopefully that’s all clear, and if you need any further help, we’re on hand Thank you

Free Email Updates
We respect your privacy.

wordpress plugins for membership sites

affiliate marketing