Google have decided to “deprecate Chrome’s trust in the Symantec certificate authority (including Symantec-owned brands like Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL)“. This comes after “Symantec had entrusted several organizations with the ability to issue certificates without the appropriate or necessary oversight”.
What does that mean for me?
If you are affected by this then your website SSL certificate won’t work for Chrome version 70 or later and visitors are going to see an ugly warning like the one below.
Not good! The first beta of Chrome 70 is expected in September.
How do I know if I am affected?
- Start Chrome.
- Navigate to the https version of your website.
- Go to Developer tools (View>Developer>Developer tools from the menu bar) and look at the Console.
- If you see something like the below, then you are affected.
My https://www.perfecttableplan.com website was affected (it uses a Geotrust SSL certificate provided by my ISP, 1&1). But my https://www.hyperplan.com website was not affected (which uses a Godaddy SSL certificate).
On my Windows development machine Eset anti-virus seems to override the SSL certificate used by Chrome, so the console message did not appear. But it did appear in Chrome on my Mac. So you probably want to check from more than one computer.
What can I do about it?
Get your certificate re-issued. This was fairly straightforward with my hosting provider 1&1.
As an owner of a small software business I spend too much time dealing with annoying crap like this. Symantec, I have always hated your bloated software. But now you officially suck.
Also, is it any wonder digital certificates are such a rip-off when one company is allowed to own so much of the market?
I’ve moved all my sites to the Letsencrypt free SSL certificates and so far I am pretty happy with them. Your blog also uses them and I guess there’s no need to purchase SSL certificates these days.
I wouldn’t mind if we can get free code signing certificates on day…
I will certainly move to LetsEncrypt if I move from shared hosting to VPS.
Symantec were rubbish when they were previously known as Norton. As you say, bloated crap offering little in the way of protection that hogged resources. A richly deserved public bollocking.
The saddest thing is that Norton software was really good before Symantec purchased them.
100% agree. Once upon a time, Norton was the gold standard.
Have you checked https://letsencrypt.org/? The most trendy cert provider, that’s for sure :)