There’s a battle going on between Google and Symantec, and no matter who wins, the loser will be the one-third of the Internet that use Symantec SSL to certify their e-commerce sites.
Three weeks ago, Google announced that after a several year investigation, Symantec mis-issued over 30,000 SSL certificates for encrypted web connections. Google went on to say it would start downgrading the level of trust their browser Chrome places in Symantec certificates. That means no more green lock in the browser, and worse, a red “Not Secure” error message to your shoppers.
Symantec, one of the world’s largest certificate authorities, called these claims “irresponsible” and “strongly object to the action”. They also disputed Google’s findings of 30,000 improper SSLs, claiming the number was only 127.
You can read all of Google software engineer Ryan Sleevi’s proposal in full here, but here’s the relevant section regarding when Symantec’s trust will be removed:
To balance the compatibility risks versus the security risks, we propose a gradual distrust of all existing Symantec-issued certificates, requiring that they be replaced over time with new, fully revalidated certificates, compliant with the current Baseline Requirements. This will be accomplished by gradually decreasing the ‘maximum age’ of Symantec-issued certificates over a series of releases, distrusting certificates whose validity period (the difference of notBefore to notAfter) exceeds the specified maximum.
The proposed schedule is as follows:
Chrome 59 (Dev, Beta, Stable): 33 months validity (1023 days)
Chrome 60 (Dev, Beta, Stable): 27 months validity (837 days)
Chrome 61 (Dev, Beta, Stable): 21 months validity (651 days)
Chrome 62 (Dev, Beta, Stable): 15 months validity (465 days)
Chrome 63 (Dev, Beta): 9 months validity (279 days)
Chrome 63 (Stable): 15 months validity (465 days)
Chrome 64 (Dev, Beta, Stable): 9 months validity (279 days)
There hasn’t been any substantial update yet regarding if or when this proposal becomes active, but we will update this post when more information becomes available. Hopefully Google and Symantec come to an agreement sooner rather than later.
Luckily HostDime is here so your customers never see a warning on your page. HostDime has partnered with Comodo for SSL certificates, which start at only $30.
The Comodo SSL certificates include domains validated, quick issuance, unlimited re-issues, 30 day refund, $10,000 warranty, 99.3% browser compatibility, and 128/256 bit Encyption.
For a comprehensive list of differences between the different types of SSL certificates, follow this guide.
Jared Smith is HostDime’s Content Strategist.