Chrome’s Plan to Distrust Symantec Certificates

TungstenX · February 19, 2018, 11:32am

Hi All,

I had a quick scan but it seems that this is not a topic yet. I inspect my site and saw the following warning in the console:
(index):1 The SSL certificate used to load resources from https://api.webtest.net will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information.

But on the Chrome page it only refers to Symantec. Will this be an issue for us using Let’s Encrypt?

danb35 · February 19, 2018, 11:47am

The Chrome page (and more specifically, the Google security blog you link to) are very specific about why they're doing this with Symantec. What there says anything about Let's Encrypt or any other CA?

cpu · February 19, 2018, 1:59pm

It will not be an issue for Let's Encrypt.

TungstenX · February 19, 2018, 7:06pm

I was concerned because it seems that the warning message was specifically aimed at my certificate.

mnordhoff · February 19, 2018, 7:09pm

https://api.webtest.net/ isn’t using a Let’s Encrypt certificate.

jvanasco · February 19, 2018, 8:06pm

It’s not a topic because it is irrelevant.

Chrome and Mozilla are distrusting Symantec certificates because Symantec had severe and repeated flaws in their issuance procedures that undermined web security. There has been a yearlong, fully transparent, public process to removing them from the web. No other CAs are affected.

Your website is running a Symantec certificate, which (based on the ‘not before’ date) looks like it will be distrusted starting September. I would move to LetsEncrypt now though, so you have plenty of buffer time for working out any kinks in your deployment systems.

jmorahan · February 19, 2018, 9:10pm

@TungstenX is https://api.webtest.net/ your website? Or are you just referencing some resources from there?

TungstenX · February 20, 2018, 5:42am

Thank you for the response. But my site isn’t running a Symantec certificate - it is in fact running a Let’s Encrypt cert: https://paranoidandroid.co.za/

(When you inspect the page, you’ll see in the console the warning)

TungstenX · February 20, 2018, 5:45am

I can’t remember if I ever linked to https://api.webtest.net, maybe Joomla is referencing it?

It seems that I get this warning for all sites I’m visiting o.O (Even this page)

jvanasco · February 20, 2018, 6:14am

then you’re fine. your post listed api webtest netinstead.

jmorahan · February 20, 2018, 8:50am

Maybe it’s a browser extension? EDIT: probably this one? If so it’s their problem, not yours. (Although if a browser extension is making requests to a remote server for every website you visit and you weren’t aware of it, you might want to reconsider having it installed…)

system · March 22, 2018, 8:50am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.