Google have decided to “deprecate Chrome’s trust in the Symantec certificate authority (including Symantec-owned brands like Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL)“. This comes after “Symantec had entrusted several organizations with the ability to issue certificates without the appropriate or necessary oversight”.
What does that mean for me?
If you are affected by this then your website SSL certificate won’t work for Chrome version 70 or later and visitors are going to see an ugly warning like the one below.
Not good! The first beta of Chrome 70 is expected in September.
How do I know if I am affected?
- Start Chrome.
- Navigate to the https version of your website.
- Go to Developer tools (View>Developer>Developer tools from the menu bar) and look at the Console.
- If you see something like the below, then you are affected.
My https://www.perfecttableplan.com website was affected (it uses a Geotrust SSL certificate provided by my ISP, 1&1). But my https://www.hyperplan.com website was not affected (which uses a Godaddy SSL certificate).
On my Windows development machine Eset anti-virus seems to override the SSL certificate used by Chrome, so the console message did not appear. But it did appear in Chrome on my Mac. So you probably want to check from more than one computer.
What can I do about it?
Get your certificate re-issued. This was fairly straightforward with my hosting provider 1&1.
As an owner of a small software business I spend too much time dealing with annoying crap like this. Symantec, I have always hated your bloated software. But now you officially suck.
Also, is it any wonder digital certificates are such a rip-off when one company is allowed to own so much of the market?