Blogs

    Publish
     
      • Update on Chrome 53 Bug Affecting Symantec SSL/TLS Certificates

        Oct 20 2017, 8:31 PM

        by Unknown 1

        As mentioned on November 10, 2016, we were made aware of a bug in Chrome version 53 that affects some Symantec, GeoTrust, and Thawte SSL/TLS certificates resulting in an untrusted error displaying when visiting affected websites.  There were no issues with the certificates used on the affected websites, but rather, the issue is entirely a Google bug with specific versions of Chrome, Chromium, Chrome Custom Tabs and WebView.

        Since my initial post, we’ve gained more insight into the scope of impacted platforms and releases for this bug, and although the majority of them have been patched, there is an outstanding issue with Android apps that leverage the WebView version 53. To remedy this problem, end users of affected applications will need to update to the most recent version of WebView (currently, that's version 54) and the forthcoming Chrome version 55 (or later versions). Developers using Android Open Source Platform (AOSP) will need to review their own apps to ensure compatibility.

        Other Chrome-based applications and platforms have been patched by Google including Chrome Mac, Chrome Windows, Chrome Linux, Chrome Android, Chrome iOS, Chromium, Chromium-based browsers, and Chrome Custom Tabs. All of these will operate normally on Chrome version 54 for the time being, and are fully patched in Chrome version 55 (or later versions). We expect no adverse issues on these platforms at this time, and no action should be required by users leveraging typical update mechanisms.

        Update, February 15, 2017: Google reports that bug fixes have been made available across all platforms. However, in some locations those fixes are not automatically deployed to affected customers. Those customers must manually update their applications to take advantage of the bug fix.

        • Products
        • Google Chrome
        • TLS certificate
        • Symantec Website Security
        • SSL
        • DigiCert Code Signing
        • DigiCert SSL TLS Certificates
        • Products and Solutions
      • Google’s SHA-1 Deprecation Plan for Chrome

        Oct 20 2017, 8:36 PM

        by Brook Chelmo 1

        The latest news in the SSL and web browser industries is Google’s plans to deprecate SHA-1 in a unique way on upcoming releases of Chrome starting with version 39. Considerably different from Microsoft’s plans that were announced in November 2013, Google plans on placing visual marks or placing a block within the browser; all based on the version of the browser, date of use and certificate’s expiration date.

        Here is what you need to know first:

        1. SHA-1 is still safe to use but critics say its long-term ability to stand up to collision attacks is questionable.
        2. SHA-2 is the next hashing algorithm to be used.  If your end-entity or intermediate certificates are SHA-1, it might be a good idea to exchange them now.
        3. This issue faces all Certification Authorities, not just Symantec.
        4. All SHA-1 end-entity certificates and SHA-2 end-entity certificates chaining up to a SHA-1 intermediate are affected. SHA-1 root certificates are not affected by either Microsoft’s or Google’s SHA-1 deprecation plan.
        5. Google is using three terms that you may want to familiarize yourself with:
          1. secure, but with minor errors,
          2. neutral, lacking security, and
          3. affirmatively insecure.
        6. Symantec offers free replacements for affected Symantec SSL certificates.

        What we expect to see with future Chrome releases:

        Chrome 39 (Beta release: 26 September 2014, tentative production release: November 2014):

        1. Any SHA-1 SSL certificate, on a page, that expires on or after 1 January 2017 will be treated as “secure, but with minor errors”.  The lock within the address bar of the browser will have a yellow arrow over the lock as in this example provided by Google:

        google-blog-1.png

        Chrome 40 (Beta release: 7 November 2014, tentative production release: post-holiday season):

        1. Pages secured with a SHA-1 certificate expiring between 1 June 2016 and 31 December 2016 inclusive will experience the same treatment as described above.
        2. Additionally, pages secured with a SHA-1 certificate expiring after 1 January 2017 will be treated as “neutral, lacking security”.  The lock in the address bar will be replaced by a blank page icon as in this example provided by Google:

        google-blog-2.png

        Chrome 41 (Q1-Q2 2015):

        1. Sites secured with a SHA-1 certificate with validity dates terminating between 1 January 2016 and 31 December 2016 inclusive will be treated as “Secure, but with minor errors.”
        2. Sites secured with a SHA-1 certificate expiring on or after 1 January 2017 will be treated as “affirmatively insecure”.  The lock will have a red “X” over it with the letters “HTTPS” crossed out with a red font as in this example provided by Google.

        google-blog-3.png

        Here is a matrix to help you understand the dates:

        Sample Expiration Dates

        Chrome Version (Beta dates)

        SHA-1

        (Dec 31 2015)

        SHA-1

        (Jan 1 – May 31  2016)

        SHA-1

        (Jun 1 – Dec 31 2016)

        SHA-1

        (Jan 1 2017 and beyond )

        Recommended:

        SHA-2

        Chrome 39

        (Sept. 2014)

        google-blog-4.png

        google-blog-4.png

        google-blog-4.png

        google-blog-5.png

        google-blog-4.png

        Chrome 40

        (Nov. 2014)

        google-blog-4.png

        google-blog-4.png

        google-blog-5.png

        google-blog-6.png

        google-blog-4.png

        Chrome 41

        (Q1 2015)

        google-blog-4.png

        google-blog-5.png

        google-blog-5.png

        google-blog-7.png

        google-blog-4.png

        Moral of the story: Move to SHA-2, especially if your SSL certificate expires after December 2015.

        What you need to do.

        1. Use our SSL Toolbox to see if your certificates are affected.  SHA-1 SSL certificates expiring before 2016 are NOT affected and can be replaced with a SHA-2 certificate at renewal time if you wish.
        2. If your Symantec certificates are affected you can replace them at no additional charge for a SHA-2 certificate, or a SHA-1 certificate with a validity that does not go past 2015.  Check with your vendor if they have a free replacement program like Symantec.
        3. Install your new certificates.
        4. Test your installation using the SSL Toolbox.
        5. Security Best Practice:  Revoke any certificates that were replaced in step #2.

        For more in-depth information, instructions, and assistance please refer to our knowledge center article on this subject.  For a list of SHA-2 supported and unsupported applications review this list from the CA Security Council.

        Read our SHA-2 webpage for the tools, steps to take, and a list of FAQs that can be generally applicable across all browsers.

        • Products
        • Google Chrome
        • website security solutions
        • Symantec Website Security
        • SHA
        • SHA-1
        • chrome
        • DigiCert Complete Website Security
        • Products and Solutions
        • Google
      • SHA1 certificate shown as insecure or with mix content warning on Google Chrome 39

        Sep 09 2014, 8:59 AM

        by Robert Lin 1

        As of late 2014, SHA1 certificates and it's SHA1 trust chain (not including the Root CA) will be considered insecure by Google Chrome.

        A three step process will increase the severity of the warning:

        1. Initially SHA1 certificates that expire on/after 2017/1/1, and which contain SHA-1-based signatures in the validated chain, will be shown the "Secure, but minor errors" icon.  This is a lock with a yellow triangle alert icon
           
        2. Severity will increase thereafter, where:  
          SHA1 certificates that expire between 2016/6/1 and 2016/12/31, inclusively, and which contain SHA-1-based signatures in the validated chain, will be shown the "Secure, but minor errors" icon. This is a lock with a yellow triangle. alert icon

          SHA1 certificates that expire on/after 2017/1/1, and which contain SHA-1-based signatures in the validated chain, will be shown the "Neutral, no security" icon. This is the blank page icon, as shown by HTTP URLs. Blank page icon
           
        3. Finally Chrome will render websites with SHA1 certificates that expire on/after 2017/1/1 and which contain SHA-1-based signatures in the validated chain, with the "Affirmatively insecure, major errors" icon. The "Affirmatively insecure, major errors" icon is a lock with a red X. red https
           

        To resolve this issue SHA2 certificates must be installed.

        Google: Gradually sunsetting SHA-1

        What about the Cross Root Chaining? For example:
        Chain one : >>    (1) example.org-int1(sha256) <- int1-ca1(sha-256) <- ca1-ca1(N/A)
        or
        Chain two : >>    (2) example.org-int1(sha256) <- int1-ca1(sha-256) <- ca1-ca2(sha1)<- ca2-ca2(N/A)

        or
        Chain three: >>   (3) example.org-int1(sha256) <- int1-ca1(sha-256) <- ca1-ca2(sha256) <- ca2-ca2(N/A)

        As per Ryan from Google:

        "On all of our platforms, it will prefer (1) if ca1 is trusted. It would only go to (2) if ca1 is not trusted.
        On the platforms where this is the case, the peer supplying ca1-ca2(sha256) as part of the handshake ensures that (3) is preferred, if ca2 is trusted."

        • Products
        • Google Chrome
        • Public Key Infrastructure (PKI)
        • Symantec Enterprise Security
        • Thought Leadership
        • Symantec Website Security
        • SHA1
        • DigiCert Code Signing
        • DigiCert SSL TLS Certificates
        • Security Community Blog
        • SHA256
        • Google