Blogs

    Publish
     
      • Raising the Bar for Security and Trust on the Web

        Sep 11 2015, 7:38 PM

        by Brook Chelmo 1

        Recently, Symantec updated its certificate issuance controls to pay special attention to domains flagged for excessive abuse, malware, spam, and other suspicious activity.  We recently received intelligence that .PW domains had a history of suspicious and abusive behavior.  After further analysis, we decided to place a hold on issuing minimally-authenticated Domain Validated SSL/TLS certificates and are instituting a policy of only offering the stronger authenticated Organization and Extended Validation SSL/TLS certificates to .PW domains.  Part of this change included the revocation of a small number of domain validated SSL/TLS certificates previously issued for these domains.  Additionally, we have engaged with the registry that controls .PW to identify ways that can improve the safety of this top level domain for consumers.  Several other country-code and generic top level domains are also special targets for attackers, which we will continue to evaluate on an on-going basis as well.

        In contrast, forward looking, security minded registries, such as fTLD Registry Services, the owner of the .bank and .insurance top level domains are raising the bar for security for all of its customers. Considered a best practice, before authorizing a domain sale, these registries ensure that only valid, qualified entities operate on these domains and thereby protect the reputation of these spaces. As the original Certification Authority and the market leader for website security solutions, Symantec believes that verifying identity is critical for establishing trust and for ensuring the security of both consumers and the organizations they connect with online.

        Symantec works with the general public to help identify fraudulent websites.  If you would like to report SSL/TLS misuse, please log it here

        • domains
        • DigiCert Code Signing
        • certificate
        • Products
        • TLS
        • website security solutions
        • issue
        • Symantec Website Security
        • .pw
        • SSL
        • revoke
        • Products and Solutions
        • Security
      • Symantec CryptoExec for cPanel & WHMCS Makes SSL Administration Easy for Hosting Providers

        Aug 04 2015, 6:23 PM

        by Brook Chelmo 1

        Symantec would like to introduce the new CryptoExec for cPanel and WHMCS for hosting providers.  CryptoExec cPanel & WHMCS allows automating the SSL issuance process to mitigate errors and remove the manual steps in ordering and administration of SSL certificates for customers.  The intuitive and easy to use GUI helps customers buy and install SSL certificates.  Here is how it works:

        WHMCS Benefits

        The solution enables partners to utilize the popular WHMCS for billing/procurement of Symantec, GeoTrust, RapidSSL, and Thawte SSL and code-signing certificates and to provide a shopping cart experience.  The partner can also offer Trust Seals through WHMCS. 

        One other advantage of the solution is the flexibility offered for purchase through the support for either a voucher-based path or a classic SSL-based path. The voucher-based path is recommended for partners who have both cPanel and WHMCS so a customer can buy vouchers in WHMCS and redeem them in cPanel. The classic SSL path is recommended for partners who use WHMCS but not cPanel. 

        cPanel Benefits

        CryptoExec also enables cPanel, the popular control panel solution for hosting providers. Partners can utilize this solution to redeem vouchers purchased through WHMCS and automatically install all SSL certificate types without any manual intervention.

        Through cPanel, the Certificate Signing Request (CSR) generation is completely automated for partners who support both WHMCS and cPanel.  Additionally, the end customer will see live status messages on the progress of the certificate’s validation and installation.  cPanel will also provide a list of existing Symantec SSL certificates and the details related to each certificate. Through CryptoExec the complete lifecycle of an SSL certificate is covered; users can reissue, revoke and renew all SSL certificates through this solution. 

        CryptoExec cPanel and WHMCS modules also provide troubleshooting capability to hosting provider for the orders placed through WHMCS and cPanel.

        For WHMCS

        1. Download Symantec™ CryptoExec for WHMCS directly from Symantec’s Knowledge Base

        2. Add the module to your WHMCS installation

        3. In WHMCS, setup few initial product configurations and your customers are ready to start purchasing Symantec Products!

        For WHMCS and cPanel

        1. Download Symantec™ CryptoExec for WHMCS and Symantec™ CryptoExec for cPanel directly from Symantec’s Knowledge Base

        2. Add the module to your WHMCS and cPanel installations

        3. Within each system, setup your initial configurations and your customers are ready to start purchasing Symantec Products!

        • cPanel
        • SSL certificate
        • DigiCert Code Signing
        • Hosting
        • Products
        • TLS certificate
        • voucher
        • website security solutions
        • Symantec Website Security
        • CryptoExec
        • WHMCS
        • Products and Solutions
        • provider
      • The New 39-Month SSL Certificate Maximum Validity

        Oct 20 2017, 8:42 PM

        by Brook Chelmo 1

        The past few years within the SSL certificate industry have been busy with changes.  1024-bit RSA certificates are long gone, using public SSL certificates on servers with internal domain names is starting to disappear, and the SHA-1 hash algorithm is starting to see its final days.  So what is next?

        Starting 1 April 2015, Certification Authorities (CAs) are not permitted to issue SSL certificates (issued from a public root) with a validity period greater than 39 months.  SSL certificates have limited validity periods so that the certificate’s holder identity information is re-authenticated more frequently. Plus it’s a best practice to limit the amount of time that any key is used, to allow less time to attack it.

        In line with the latest Certification Authority/Browser Forum Baseline Requirements, CAs will stop issuing 4 and 5-year SSL certificates in the near future.  Symantec plans on eliminating these options in late February 2015 on all SSL management consoles.  Extended Validation (EV) SSL certificates still have a max validity period of 27 months but Organizational Validated (OV) and Domain Validated (DV) certificates (DV not offered by Symantec) will have this new 39-month lifespan.

        So how will this affect those who install SSL certificates?  The average person installing certificates in a large enterprise will have to go through the enrollment process a little more often.  If the organization on that level and scale finds this detracts from employee productivity they may want to look at leveraging Symantec Certificate Intelligence Center Automation.  To someone in a small organization who only issues SSL certificates on a very infrequent basis, they may find themselves looking for SSL installation instructions a little more often.  To help you, Symantec has always offered a wealth of information online via our Knowledge Base (the preceding site will be migrating to this location in the near future) and offers amazing support by phone.

        Hourglass 350x350.jpg

        Please let us know what you think below in the comment section.

        • CA BF
        • SSL certificate
        • DigiCert Code Signing
        • Validity
        • Products
        • website security solutions
        • 39-month
        • Symantec Website Security
        • SSL
        • SSL Cert
        • DigiCert SSL TLS Certificates
        • Products and Solutions
        • Certification Authority Browser Forum
      • Symantec to Pre-Verify Applicants on .bank and .insurance gTLDs

        Dec 16 2014, 12:40 AM

        by Brook Chelmo 2

        As recently announced, fTLD Registry Services has partnered with Symantec to verify applicants before domain names are approved in the new .bank and .insurance generic Top-Level Domains (gTLDs).  So what does this truly mean?  Ultimately, it offers a form of brand protection for .bank and .insurance in this new era of the Internet. 

        Handshake.jpg

        July 2013 through February 2014 marked the second major landrush for addresses on the Internet.  Companies from around the world applied to ICANN to operate nearly any gTLD they could think of (namely common search terms).  For example we have applied to operate .symantec and .norton.  With the new gTLDs as options for website developers, there are increasing risks to end-users who may confuse spoofed destinations with their real counterparts.  For instance, let’s say ChelmoBank.com was a real address with millions of customers visiting daily. 

        Without pre-verification there would be little stopping a hacker from creating a spoofed ChelmoBank.bank or Chelmo.bank website in order to confuse my customers and funnel them into a phishing scam as they do with subdomains (e.g., ChelmoBank.example.com). fTLD Registry Services recognizes this and is acting as the responsible operator of this new portion of the Internet.  Fundamentally, this is a best practice among gTLD operators.  It not only provides better brand protection, but it also enables website owners to go through a majority of the processing for an SSL certificate, which will allow the owners to easily apply for and rapidly install an SSL certificate from Symantec.  At the end of the day this drives value for gTLD operators and allows their new virtual tenants to be seated among other websites which have all been vetted.  Personally, I see this as the equivalent of setting up shop in a shopping mall in an affluent neighborhood. 

        If other registry service organizations would be interested in doing something similar to what fTLD Registry Services has done.

        • Authentication
        • gTLD
        • Products
        • website security solutions
        • Symantec Website Security
        • Verification
        • .bank
        • fTLD
        • DigiCert Code Signing
        • Products and Solutions
        • .insurance
        • symantec
      • SSL; More than Encryption

        Mar 29 2018, 8:34 PM

        by Brook Chelmo 1

        While doing an online search for “SSL Certificates” and one of the ads said “$4.99, Why Pay More?”  Without clicking on the ad I know what they are going to offer me; a simple domain validated (DV) SSL certificate.  This certificate will encrypt my site’s traffic at a basic level but this isn’t 1997; the business climate and threat landscape have changed and so have our requirements for security.  SSL is more than encryption.  We have to consider trust, security, service, certificate management & reliability.  While many Certification Authorities are cutting corners to compete with each other on price, Symantec is working around the clock to continually deliver best-in-class solutions.  At Symantec we believe in these core factors as does 91% of the fortune 500 and 94 of the top 100 financial institutions in the world.  Here’s why:

        1. Increased End-Consumer Trust

        • Trust Seal -- Trust seals suggest that websites are safe to interact with.  The Norton Secured Seal has been shown through independent research to be the most recognized trust seal on the Internet.  Offered only by Symantec, it is seen about 4 billion times per month on websites all around the world.  The seal ensures visitors that they are communicating with organizations that not only encrypt their traffic but also are legitimate organizations that have gone through Symantec’s strong authentication screening as well.
          ssl-encryption-blog-1.jpg
        • Visual Cue -- The “Green Bar” also represent that a site is trustworthy.   With Symantec EV Certificates, browsers will change the color of the address bar to green, serving as a cue for safe interaction.  DV certificates won’t provide for a visual cue to website visitors
          ssl-encryption-blog-2.jpg

        2. Stronger Business Authentication and Website Security

        • Authentication -- With every Symantec certificate, Symantec performs strong authentication to ensure that a website visitor can trust who they are communicating with.  Security-minded organizations realize that encryption alone is not enough and require, as a matter of policy, that all certificates issued for their organization have strong authentication.  On the other hand, domain validated certificates, like those that Let’s Encrypt intends to offer, will only provide encryption of data.   Thus, they will not prevent a credit card number or password from going to an encrypted website that may be fraudulent.
        • Scanning and Alerts -- Symantec products also secure customer websites with scanning for critical vulnerabilities and active malware.  Symantec proactively notifies customers about security risks within a customer’s unique environment and provides guidance to ensure that such issues are quickly and easily resolved. 

        3. Simplified Certificate Management and Live Worldwide Support

        • Management Tools -- Symantec enables customers to track and manage large volumes of certificates with a wide range of tools.  Organizations are often burdened with the complexity of managing a variety of SSL certificates that may include of self-signed, client certificates or SSL certificates that chain up to public roots.
          ssl-encryption-blog-3.png
        • Accessible Technical Support -- Symantec provides 24/7/365 support worldwide to ensure that customers’ sites stay up and running and secure, with an optional premium support that include SLA’s on problem escalation and resolution.  This is a critical component for organizations that need to ensure that their website operations remain.  A free offering like Let’s Encrypt rarely comes with any form of live support.

        4. Powerful Technical Capabilities and Advanced Options

        • Client Ubiquity -- As the longest operating Certification Authority, Symantec’s roots are in more clients than any other Certification Authority.  Organizations that want to support Always on SSL and connectivity with the greatest number of users choose Symantec to secure their transactions.
        • Advanced Certificate Options -- Symantec Secure Site Pro products include both RSA 2048 bit certificates and ECC 256 bit certificates which are optimal within Perfect Forward Secrecy.  These high security, high performance certificates are the future of SSL/TLS encryption and Symantec’s ECC roots are in more clients than any other Certification Authority.
        • Best in Class Revocation -- Symantec provides revocation information to clients through both the Online Certificate Status Protocol (OCSP) and Certificate Revocation Lists (CRLs).  Both of these services are updated continually to communicate certificate revocation activity to clients worldwide.  The services are tuned to provide the fastest response times possible.   In the case of websites, OCSP response times can impact page load times and Symantec has invested in its infrastructure to provide OCSP responses in about 50 milliseconds for almost every major region in the world.  
          ssl-encryption-blog-4.jpg

        5. Reliable Security and Business  Assurances

        • Warranties -- Symantec offers the highest warranties of any Certification Authority.  These warranties can cover customers for losses of up to $1,750,000 from incorrect information contained on Symantec certificates.
        • Military-Grade Data Centers -- Symantec’s roots and signing services are protected by the most stringent physical, network, and logical security and process controls.   The hardened facilities provide our customers with confidence that certificate issuance for their domains will not be compromised.  With ten years of continuous uptime, Symantec’s robust continuity practices are the best in the industry.
        • Contractual Commitments -- Symantec customers have a contractual commitment from Symantec to maintain their products for the term of their contract.  Let’s Encrypt, as a non-profit, open-source Certification Authority, it will be difficult to offer such contractual guarantees, given the significant expenses associated with operating a publicly audited Certification Authority.
          ssl-encryption-blog-5.jpg
        • Focused investment – As the world’s largest security company, Symantec has both the resources and the motivation to ensure that the our SSL products are uncompromised.  Vulnerabilities like Heartbleed have clearly demonstrated that, despite the good intentions of OpenSSL, a non-profit organization with limited resources will be challenged to keep up with the rapidly-changing security threat landscape.

        Modern Security for Modern Needs

        Companies that know security understand they need to use modern-day security solutions in today’s environment and that SSL is more than just simple encryption.Please keep all of these factors in mind as you are building out your webserver security plans.For more information on Symantec SSL, please visit our website.

        • SSL Encryption
        • SSL certificate
        • DV cert
        • Go Daddy
        • certificate
        • symantec
        • Products
        • website security solutions
        • Norton Secured Seal
        • Symantec Website Security
        • SSL
        • DigiCert SSL TLS Certificates
        • Products and Solutions
      • Who's Watching You Sleep?

        Nov 25 2014, 10:48 PM

        by Brook Chelmo 1

        Thanks to George Orwell’s classic book 1984, I graduated High School thinking I would eventually live in a world monitored and suppressed by world governments.  In the wake of the PRISM scandal in 2013 I started to get the feeling that Orwell’s dystopian novel was looking like an ill-timed prophesy.  In light of comedian Pete Holms’ rant on how Privacy is Uncool, it is little brother (us) leaking our secrets; no one has to steal them from us.  If you thought unmanaged Social Media privacy settings were bad, how much would you cringe if you knew you were letting people watch you sleep?  Welcome to the perils of the Internet of Things (IoT).

        Up until very recently a number of security camera manufactures were shipping internet connected cameras (AKA IP cameras) with default passwords.  Many of these passwords were never changed by the purchaser after setting them up.  It was only a matter of time that someone would set up a website displaying many of these feeds (Up to 73K at its peak). 

        Let me introduce Insecam, the website dedicating to not only showing you the unrestricted feeds of home and commercial security cameras but also to where they are located with all of the admin and password information.  In addition to this they have social plugins that let you share your favorite feeds with your community.  Ultimately taken from the pages of the improving-through-shaming security book, this site claims to seek the end of default passwords yet places advertisements conveniently next to navigation icons.

        Sleep edit.jpg

        On my review of the site, I saw mundane shots of doors and walkways and more mild scenes of people working the front counters of gas stations and dry-cleaners.   With a chill down my spine I saw a bartender drinking the profits and an overhead shot of a girl scrolling through a fashion site.  What startled me was the shear amount of cameras in bedrooms, a no-no in my world.  Granted that a majority of these were aimed at cribs but the alarming part was the number of unsecured cameras pointed at hospital patients, adult beds, living rooms, and private hot tubs.  Sadly, various online forum contributors claim to have found dead bodies and adults in very private or intimate situations.  Situations like this define the need for better security in the internet of things landscape.

        No matter what colored bucket of hacker you place the Insecam’s creator into, they have exposed a gaping hole in the IoT landscape.  In 2011 there were over 9 Billion devices connected to the internet and by the year 2020 it is expected that number will be close to 24 billion.  This is a cause for concern for manufactures and companies like Symantec and a potential bonanza for hackers.  As more and more things come online, we are discovering new vulnerabilities and how some security practices are becoming out of date.  There are obstacles with current security practices but there are ways to overcome them.

        Better Password Management

        I’m not a fan of passwords.  Since we have to live with them we have to learn how to use them.  I wrote a fun mocku-blog on password best practices for you to loathe and share.  Passwords are a very weak form of security and Insecam proved that.  Two Factor authentication can be used to install and access IP camera feeds via a computer or mobile device.  If you have the time, take a peek at this white paper from Symantec on digital certificates used for authentication. 

        When it is all said in done, Insecam victims used default ports and passwords and were most likely discovered by an IP address surfing tool.  A simple change of the password would eliminate them from the site but it could still be guessed by a serious stalker.  Keep in mind that passwords are the number one thing sought after by hackers since we often use the same ones on multiple sites.  Here is how they do it.

        Encryption; an IoT solution

        As a best PKI practice, all data SHOULD be encrypted in transit and at rest between a Host and Client.  If the device manufactures enabled encryption of the data, only the end user could review the video stream with client authentication.  This would slow the feed a bit but it would secure the connection.  If marketers want to instill trust in their internet connected devices they need to consider implementing a security promise with their messaging.  So how can they encrypt a live feed?

        My engineering buddy and counterpart Frank Agurto-Machado recommends the use of embedding a private SSL ROOT CA within each device.  The connection between the manufacture’s infrastructure and the camera would be secured and encrypted via client authentication to this private SSL root.  Ultimately, this may increase the cost of a device but it would help better ensure security.  While this DOES NOT remedy the Password hijacking, it secures the model from point-to-point between the “client” and the host.  Symantec offers Private CAs to enterprises that need customized encryption for server to server communication or for applications such as this. 

        The Security Trade-Off

        Balance Act_0.jpg

        Throughout the course of world history humans have always had to juggle between access and fortification when it comes to security.  Our ancestors had to find a way to secure a food hoard that would not take hours to hide or cover.  Castles had to ensure soldiers and citizens could pass freely yet survive a siege.  Anti-virus software on your PC has to allow you to quickly surf the internet but check and possibly restrict all incoming traffic.  Manufactures within the IoT space have to learn how to balance these two and improve customer messaging to assist them in setting up a trustworthy and secure devices.

        Edit:  Since the writing of this blog insecam has been shut down.  From appearances it appears to be taken down by a third-party hacker.

        • Products
        • website security solutions
        • Symantec Website Security
        • encryption
        • passwords
        • password
        • Identity and Authentication Services
        • IoT
        • DigiCert Code Signing
        • white hat
        • VIP (Validation ID Protection)
        • Products and Solutions
      • The SSL 3.0 Vulnerability – POODLE Bug (AKA POODLEbleed)

        Oct 20 2017, 8:27 PM

        by Brook Chelmo 4

        SSLv3_poodle-300px.png

        A bug has been found in the Secure Sockets Layer (SSL) 3.0 cryptography protocol (SSLv3) which could be exploited to intercept data that’s supposed to be encrypted between computers and servers. Three Google security researchers discovered the flaw and detailed how it could be exploited through what they called a Padding Oracle On Downgraded Legacy Encryption (POODLE) attack (CVE-2014-3566).

        (Updated Dec. 9, 2014) Recently, a new variant of the POODLE vulnerability (CVE-2014-8730) was found to affect even versions of TLS, the successor to the SSL protocol.  This new vulnerability works against sites that use load balancers that have incorrectly implemented encryption padding checks, and may affect around 10% of servers.  Certain models of F5 and A10 load balancers are susceptible, and as part of best practices we recommend that users apply vendor-supplied patches as they become available.

        It is important to note that this is NOT a flaw in SSL certificates, their private keys, or their design but in the old SSLv3 protocol.  SSL Certificates are not affected and customers with certificates on servers supporting SSL 3.0 do not need to replace them.

        It’s believed to not be as serious as the Heartbleed bug in OpenSSL, since the attacker needs to have a privileged position in the network to exploit the latest.  The usage of Hotspots, public Wi-Fi, makes this attack a real problem. This type of attack falls into the “Man-in-the-middle” category. 

        Background

        While SSL 3.0 was introduced in 1996, it is currently supported by nearly 95% of Web browsers according to Netcraft’s latest report.  Many Transport Layer Socket (TLS) clients downgrade their cryptography protocol to SSL 3.0 when working with legacy servers. According to Google, an attacker that controls the network between the computer and server could interfere with the handshake process used to verify which cryptography protocol the server can accept using a “protocol downgrade dance”. This will force computers to use the older SSL 3.0 protocol to protect data that is being sent. Attackers can then exploit the bug by carrying out a man-in-the-middle (MITM) attack to decrypt secure HTTP cookies, which could let them steal information or take control of the victim’s online accounts.  Although, at the time to writing, webmasters have been disabling SSL 3.0 and moving to TLSv1 and above at a rapid pace, there still remains a lot of work to be done.  If Heartbleed taught us anything, it’s that the largest companies act fast while many small companies drag their heels in patching critical vulnerabilities. 

        What Businesses Need to Do

        In order to mitigate the bug there are a few courses of action:

        1. Check to see if your webservers are vulnerable using our free SSL Toolbox.
        2. Disable SSL 3.0 altogether, or disable SSL 3.0 CBC-mode ciphers
        3. A cloud-based Web Application Firewall can help protect against this kind of vulnerability.  For more information please visit our website.
        4. Be leery of any spam messages from scammers trying to capitalize on uncertainty and a lack of technical knowledge.
        5. If applicable, implement F5’s patch.  For information on A10 Networks, please click here for their patch.

        My fellow colleague Christoffer Olausson gives a few tips on how to fix this on Apache:

        > SSLProtocol All -SSLv2 -SSLv3                   <- Removes SSLv2 and SSLv3

        > apachectl configtest                                   <- Test your configuration

        > sudo service apache restart                      <- Restart server

        At the time of writing Google and Mozilla have either removed SSL 3.0 support from their browsers or are in the process of doing so.

        What End-Users Need to Do

        For end-users accessing websites Symantec recommends:

        1. Check to see if SSL 3.0 is disabled on your browser (for example, in Internet Explorer it is under Internet Options, Advanced Settings).
        2. Avoid MITM attacks by making sure “HTTPS” is always on the websites you visit.
        3. Monitor any notices from the vendors you use regarding recommendations to update software or passwords.
        4. Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain.

        More Information

        Symantec has published knowledge base articles on the subject for your reference.  See below:

        Symantec Managed PKI for SSL Users

        https://knowledge.verisign.com/support/mpki-for-ssl-support/index?page=content&id=AR2182

        Symantec Trust Center/Trust Center Enterprise Users

        https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR2183

        Stay Connected

        Stay connected with us for more updates on this vulnerability and others.  Follow us on Twitter, Facebook, or visit our technical forums for issues with managing SSL and code-signing certificates.

        • POODLEbleed
        • SSLv3
        • Poodle bug
        • Products
        • bug
        • website security solutions
        • SSL
        • POODLE Attack
        • SSL 3.0
        • DigiCert Complete Website Security
        • DigiCert SSL TLS Certificates
        • vulnerability
        • Products and Solutions
        • POODLE
      • Google’s SHA-1 Deprecation Plan for Chrome

        Oct 20 2017, 8:36 PM

        by Brook Chelmo 1

        The latest news in the SSL and web browser industries is Google’s plans to deprecate SHA-1 in a unique way on upcoming releases of Chrome starting with version 39. Considerably different from Microsoft’s plans that were announced in November 2013, Google plans on placing visual marks or placing a block within the browser; all based on the version of the browser, date of use and certificate’s expiration date.

        Here is what you need to know first:

        1. SHA-1 is still safe to use but critics say its long-term ability to stand up to collision attacks is questionable.
        2. SHA-2 is the next hashing algorithm to be used.  If your end-entity or intermediate certificates are SHA-1, it might be a good idea to exchange them now.
        3. This issue faces all Certification Authorities, not just Symantec.
        4. All SHA-1 end-entity certificates and SHA-2 end-entity certificates chaining up to a SHA-1 intermediate are affected. SHA-1 root certificates are not affected by either Microsoft’s or Google’s SHA-1 deprecation plan.
        5. Google is using three terms that you may want to familiarize yourself with:
          1. secure, but with minor errors,
          2. neutral, lacking security, and
          3. affirmatively insecure.
        6. Symantec offers free replacements for affected Symantec SSL certificates.

        What we expect to see with future Chrome releases:

        Chrome 39 (Beta release: 26 September 2014, tentative production release: November 2014):

        1. Any SHA-1 SSL certificate, on a page, that expires on or after 1 January 2017 will be treated as “secure, but with minor errors”.  The lock within the address bar of the browser will have a yellow arrow over the lock as in this example provided by Google:

        google-blog-1.png

        Chrome 40 (Beta release: 7 November 2014, tentative production release: post-holiday season):

        1. Pages secured with a SHA-1 certificate expiring between 1 June 2016 and 31 December 2016 inclusive will experience the same treatment as described above.
        2. Additionally, pages secured with a SHA-1 certificate expiring after 1 January 2017 will be treated as “neutral, lacking security”.  The lock in the address bar will be replaced by a blank page icon as in this example provided by Google:

        google-blog-2.png

        Chrome 41 (Q1-Q2 2015):

        1. Sites secured with a SHA-1 certificate with validity dates terminating between 1 January 2016 and 31 December 2016 inclusive will be treated as “Secure, but with minor errors.”
        2. Sites secured with a SHA-1 certificate expiring on or after 1 January 2017 will be treated as “affirmatively insecure”.  The lock will have a red “X” over it with the letters “HTTPS” crossed out with a red font as in this example provided by Google.

        google-blog-3.png

        Here is a matrix to help you understand the dates:

        Sample Expiration Dates

        Chrome Version (Beta dates)

        SHA-1

        (Dec 31 2015)

        SHA-1

        (Jan 1 – May 31  2016)

        SHA-1

        (Jun 1 – Dec 31 2016)

        SHA-1

        (Jan 1 2017 and beyond )

        Recommended:

        SHA-2

        Chrome 39

        (Sept. 2014)

        google-blog-4.png

        google-blog-4.png

        google-blog-4.png

        google-blog-5.png

        google-blog-4.png

        Chrome 40

        (Nov. 2014)

        google-blog-4.png

        google-blog-4.png

        google-blog-5.png

        google-blog-6.png

        google-blog-4.png

        Chrome 41

        (Q1 2015)

        google-blog-4.png

        google-blog-5.png

        google-blog-5.png

        google-blog-7.png

        google-blog-4.png

        Moral of the story: Move to SHA-2, especially if your SSL certificate expires after December 2015.

        What you need to do.

        1. Use our SSL Toolbox to see if your certificates are affected.  SHA-1 SSL certificates expiring before 2016 are NOT affected and can be replaced with a SHA-2 certificate at renewal time if you wish.
        2. If your Symantec certificates are affected you can replace them at no additional charge for a SHA-2 certificate, or a SHA-1 certificate with a validity that does not go past 2015.  Check with your vendor if they have a free replacement program like Symantec.
        3. Install your new certificates.
        4. Test your installation using the SSL Toolbox.
        5. Security Best Practice:  Revoke any certificates that were replaced in step #2.

        For more in-depth information, instructions, and assistance please refer to our knowledge center article on this subject.  For a list of SHA-2 supported and unsupported applications review this list from the CA Security Council.

        Read our SHA-2 webpage for the tools, steps to take, and a list of FAQs that can be generally applicable across all browsers.

        • Products
        • Google Chrome
        • website security solutions
        • Symantec Website Security
        • SHA
        • SHA-1
        • chrome
        • DigiCert Complete Website Security
        • Products and Solutions
        • Google