sb-nz logo
Story image

Mozilla delays distrust of Symantec TLS certificates

15 Oct 2018

Mozilla has delayed its distrust of all Symantec security certificates – because so many businesses have failed to do anything about the problem.

Despite Mozilla’s intention to distrust all TLS certificates issues by Symantec Certification Authority, it seems that more than 1% of the top one million websites are still using Symantec certificates.

Symantec (now part of DigiCert) certificates including GeoTrust, RapidSSL and Thawte are no longer trusted by Firefox.

Since May 2018 (Firefox 60), websites show an untrusted connection error if they have a TLS cert issued before 2016-06-01 that chains up to a Symantec root.

The company has been progressively implemented in Firefox Nightly, which is a pre-release version of the next Firefox browser.

Despite DigiCert’s efforts to make businesses aware of the distrust, it seems some still have not received the message.

DigiCert has even gone as far as providing certificate replacements to affected website owners for no charge.

“Unfortunately, because so many sites have not yet taken action, moving this change from Firefox 63 Nightly into Beta would impact a significant number of our users. It is unfortunate that so many website operators have waited to update their certificates,” says Mozilla’s Wayne Thayer.

He adds that user safety is now at stake due to the delay in rolling out the certificate distrust, but that delay is also in users’ best interests. 

“We continue to strongly encourage website operators to replace Symantec TLS certificates immediately. Doing so improves the security of their websites and allows the tens of thousands of Firefox Nightly users to access them.”

According to Venafi director of enterprise security support Mark Miller, the entire process of distrusting so many certificates can be painful.

“It’s especially painful for organisations that don’t have an automated way to replace their certificates. In fact, many organisations don’t even have a complete inventory of their machine identities.”

“However, by delaying our distrust deadlines we’re leaving the window open for more data to fly out. As security professionals, we need to be able to draw a line and stand behind it with confidence, but to do this organisations will need to prioritise their ability to respond to these kinds of events.”

Mozilla is now delaying the distrust until ‘later this year’ when more sites have replaced their Symantec TLS certificates.

“This change will remain enabled in Nightly, and we plan to enable it in Firefox 64 Beta when it ships in mid-October,” Thayer concludes.  

Story image
Surfshark rolls out WireGuard open source VPN protocol
When there is less code in a VPN, it is less susceptible to security vulnerabilities due to easier configuration and management, according to Surfshark.More
Story image
Microsoft is most imitated brand for phishing attacks in Q3
Popular phishing tactics using the Microsoft brand used email campaigns to steal credentials of Microsoft accounts, luring victims to click on malicious links which redirect them to a fraudulent Microsoft login page. More
Story image
Acronis launches data centre in Auckland
It is the first of 111 planned new data centres globally, allowing for the benefits of data localisation, including regional data sovereignty. More
Story image
The three-pronged security approach that confronts security breaches head-on
Having these three processes working in tandem is key to cushioning the blow of a breach - which, if insufficiently protected, can take on average 279 days to contain and costs an average of almost US$4 million.More
Story image
Gartner reveals the top strategic tech trends for 2021
“CIOs are striving to adapt to changing conditions to compose the future business - this requires the organisational plasticity to form and reform dynamically. Gartner’s top strategic technology trends for 2021 enable that plasticity.”More
Story image
The business case for an in-house ethical hacker
Ethical hackers, also known as penetration testers or white-hat hackers, mimic the techniques used by malicious hackers to try and break into computer systems and discover vulnerabilities before the bad guys can exploit them.More