MY TAKE: Why Google is labeling websites ‘unsafe’ — what publishers need to do about it

One of the things Google’s security honchos have long championed – for the most part out of the public spotlight  — is to make HTTPS Transport Layer Security (TLS) the de facto standard for preserving the integrity of commercial websites.

TLS and its predecessor, Secure Sockets Layer, (SSL), rely on digital certificates to validate that a website is really what it claims to be. In an environment where spoofed and booby-trapped websites have come to clutter the Internet, this is a vital function.

Related article: How the PKI ecosystem can secure IoT

TLS also leverages public key infrastructure (PKI) encryption to protect the data submitted by users at legit sites. Companies, known as Certificate Authorities (CAs,) play a pivotal role issuing TLS certificates and assisting website owners with implementation of PKI.

For the most part, this arrangement has worked very well, although, like anything else in security, it can be improved. On March 15, Google will take a bold step to strengthen TLS – it will advance the process of ending trust in hundreds of thousands of TLS certificates issued by Symantec, the former kingpin CA. With the release of the beta and stable versions of Chrome 66, Google will begin issuing “distrust” alerts to those who visit web sites using any Symantec-rooted certificates issued prior to June 1, 2016.

Engendering trust

Starting Thursday, March 15, this could play out as a rude awakening for web site publishers who haven’t been paying attention. However, the good news is that, thanks to the sudden — and remarkably smooth — handoff of Symantec’s digital certificate business to DigiCert last December, the calvary is at hand. DigiCert has set up a website where publishers can check if their Symantec-issued certificates need replacement and facilitate a process whereby they may obtain a valid certificate in a few clicks, similar to how they would handle a renewal.

Rowley

“Anybody that needs to can replace their certificate, which is free, by the way, and easy to do,” says Jeremy Rowley, DigiCert’s EVP of product. “We have support people ready to help you.”

A great amount of effort has gone into getting the word out. But it has been a challenge to get people to heed advisories and act promptly, he says.

How Google found itself having to make this unusual push to distrust all Symantec certificates  — and how DigiCert, the longtime no. 2 CA for high-assurance certificates, arose to find itself atop the CA heap, is worth recapping.

Some context: digital certificates secure commercial websites. When used correctly, the URL bar of the validated website will display a green lock icon and an address that begins with https:/. A primary role of a CA is to assure the website publisher is legitimate, by doing things like asking the publisher to provide articles of incorporation. This arrangement has proven to engender user trust; and its viability depends on CAs and the browsers adhering to established security standards.

In 2010, Symantec became far and away the largest CA by acquiring VeriSign, bringing any certificates issued by Equifax, GeoTrust, Thawte and RapidSSL under the Symantec umbrella. However, in October 2015 and again in January 2017, Google publicly chastised Symantec for, in its opinion, failing to adhere to security standards.

The search giant and security titan debated this in the first half of 2017, but couldn’t come to a resolution. So in 2017, Google went public with its plan to distrust all Symantec-issued certificates, going forward. And in early August 2017 Symantec announced the sale of its CA business to DigiCert.

Climbing a tall mountain

I had the privilege of attending DigiCert’s Security Summit 2018 at the Aria Hotel in Las Vegas last month and heard DigiCert CEO John Merrill describe what it was like to carry out a technically complex merger under an impossible deadline. He recounted how an agreement in principle to combine DigiCert and Symantec was reached on Aug. 2, 2017. The deal actually closed Nov. 1, 2017. And as part of the deal, Google insisted that all new certificates had be to issued through DigiCert’s systems – by Dec. 1, 2017.

“It was a really tall mountain to climb; it was a very, very tight timeline,” says Merrill. “What it meant is that all of the portals, consoles and systems that the Symantec customers ordered certificates through, instead of going through their validation and issuing systems on the Symantec side, all of that had to be decoupled . . .  and then pointed to an API that went to DigiCert’s validation and issuance systems. And all of that had to be done by December 1. It essentially gave us a month.

“We had been planning for this, but the programming really had to happen in one month. If I had to scale it, it was probably a six- to 12-month project. The teams formed by Symantec’s security website business and DigiCert worked around the clock to get it done, and remarkably they did.”

The next challenge for DigiCert was to prepare to handle millions of requests for replacement certificates triggered by Google’s announcement in September 2017 that it would implement a series of ‘distrust’ dates beginning in spring of 2018.

Merrill continued: “We also knew that, in addition to the normal volume, there was a distrust date event coming up March 15th, and that many Symantec customers would want to replace their certificates pretty quickly, with new certificates that would not be distrusted.

“So we planned for this. We put it into our systems, which are scalable, we combined the validation teams from both Symantec and DigiCert, and we hired another 100 people.  And we planned for at least double or triple the volume because of these events [but it exceeded that significantly].”

Raising the bar

It is important to note that the March 15 distrust event will only affect users of the beta version of Chrome 66. However, a more thorough eradication of all Symantec-issued digital certificates will ensue a month later when the stable version is released (this is the one that general users see, only about 5% of Chrome users are on beta). Microsoft, Mozilla and Apple have signaled that they each will implement similar distrust event for Symantec certificates  — for Internet Explorer, Firefox and Safari browsers, respectively, says DigiCert’s Rowley.

Because they use digital certificates beyond Safari and Internet Explorer, Apple and Microsoft face another level of complexity. “They use digital certificates on their operating systems,” DigiCert’s Rowley notes. “Also, Apple has the iPhone and the Apple Store, and Microsoft uses digitally-signed codes, so there is a lot more they have to take into consideration.”

Starting in July 2018 with Chrome 70 canary and through Oct. 2018, with the release of the stable version of Chrome 70, Google will lead the way again, on the browser side of things, by fully removing trust in Symantec’s old infrastructure and distrusting all Symantec-issued certificates.

This purging of Symantec-issued digital certificates will refresh web PKI and is an important step forward. DigiCert, which has been a leader in valuing security and advancing new standards, has a key role to play. The company has an opportunity to help lead digital certificate and PKI innovations, going forward.

(Editor’s note: Last Watched has supplied  consulting services to DigiCert.)



This is a Security Bloggers Network syndicated blog post authored by bacohido. Read the original post at: The Last Watchdog