Back in December, Google warned web masters that they needed to shift from HTTP to HTTPS if their site collected any form of sensitive data. It classes sensitive data as information such as credit card details (for processing online orders), personal details or usernames and passwords. Google followed this up with a warning that those sites that didn’t make the switch to HTTPS by the end of January would be marked as non-secure on its Chrome browser.

There is an additional headache looming however for those webmasters who have moved to HTTPS but have a certificate issued by the Symantec certificate authority (including Symantec-owned brands like Thawte, VeriSign, Equifax, GeoTrust, and RapidSS), as Chrome begins its transition to end its trust of Symantec certificates.

The search engine announced its decision to cut ties with Symantec a few months ago following news that a number of certificates had been incorrectly issued. There were claims 30,000 secure certificates had been issued in error – Symantec says just 127 certificates were incorrectly issued.

Regardless of the actual number, the blunder resulted in Google announcing that Symantec certificates would be distrusted from Chrome version 66 onwards. This will affect any site with a certificate issued before 01 June 2016 when the new version of Chrome launches on 17 April.

Those with SSL/TLS certificates issued post 01 December 2017 will also be affected and labelled as non-secure unless they were issued under a new KPI infrastructure . Symantec announced around the time of Google’s decision that its website security and KPI services had been acquired by the specialist provider, DigiCert.

So what happens on 17 April?

When Google launches Chrome 66 on 17 April, any website with an old SSL/TSL certificate from Symantec will trigger a not secure warning when visited via the Google browser. Search users will see a ‘not secure connection’ alert advising that someone may try to steal their personal information. The search user will need to click past the warning to continue to the site.

Those sites which haven’t replaced their old Symantec certificate with a new certificate from an alternate source will also be penalised further later in the year. When 23rd of October rolls around and Chrome 70 is released, all Symantec-issued certificates regardless of the data of issue will be labelled non-secure.

Webmasters will need to check the origin of their SSL/TSL certificate – even certificates issued by names such as Thawte, GeoTrust, and RapidSSL may have a Symantec root, meaning they will still be affected and the site labelled as not secure. A new certificate from a different source will need to be acquired.

Further Reading:https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html