Mozilla grieves that substitution of a less reliable Symantec certificate is slower than expected

by Caspar Rubin

Given that certificates issued by Symantec's affiliated Certification Authority (CA) contain unreliable certificates, Google will step through the certificates issued by Symantec's CA under the "Google Chrome" web browser Announced that it is planned to be revoked . Like Google, Firefox developed by Mozilla is planning to gradually invalidate the TLS certificate issued by Symantec, but leaving the revoked certificate as it is Mozilla warns that there are multiple major websites that are closed.

Delaying Further Symantec TLS Certificate Distrust | Mozilla Security Blog

On August 13, 2018, one step progressive measures to invalidate Symantec's certificate advanced in " Firefox Nightly ", one of the developers version of Firefox . As a result, TLS certificates issued by companies such as Symantec's CA, GeoTrust, RapidSSL, and Thawte, became invalid on Firefox Nightly except for some .

However, it is pointed out that many popular sites are still using certificates issued by CA under the umbrella of Symantec, and according to the latest data, of the top 1 million websites that are accessed worldwide, 1 % Has been found to remain using the Symantec TLS certificate announced that it will still be invalidated.

The following image shows the webs that use the Symantec certificate that is scheduled to expire for each top 1 million (red), top 10,000 (green), top 1000 (yellow), top 100 (blue) Graph showing percentage of sites. The horizontal line shows the time and the vertical line shows the%, and as of October 2018 1% of the top 1 million and the top 10,000 are still using the Symantec certificate.

Since there are many websites that do not change certificates even when a certain amount of time has elapsed since it was notified to invalidate Symantec's certificate, as with Firefox 63 Nightly, even in another version of Firefox, Symantec Certificate If it invalidates it becomes a situation that it affects many users.

DigiCert, which acquired Symantec's PKI business announced that it will exchange old certificates announced free of charge invalidation, but many web site operators are still not updating certificates, "This is Very disappointing, "Mozilla lamented.

Mozilla said that if the schedule to invalidate Symantec's certificate would be delayed, another risk would be increased, but considering the current situation, we will invalidate the schedule of invalidation until more users change Symantec's TLS certificate Saying that it is optimal to postpone and postpone the release of changes until the second half of 2018. However, the Firefox 64 Beta scheduled for release in mid-October 2018 plans to invalidate Symantec's certificate.

in Software,   Security, Posted by logu_ii