A lot of secure sites are set to grind to a halt with security error messages in the next version of Google Chrome, after the browser will drop trust for a major HTTPS certificate provider following a series of security incidents.
Chrome 70 is expected to be released on or around October 16, when the browser will start blocking sites that run older Symantec certificates issued before June 2016, including legacy branded Thawte, VeriSign, Equifax, GeoTrust and RapidSSL certificates.
Yet despite more than a year to prepare, many popular sites are not ready.
Security researcher Scott Helme found 1,139 sites in the top one million sites ranked by Alexa, including Citrus, SSRN, the Federal Bank of India, Pantone, the Tel-Aviv city government, Squatty Potty and Penn State Federal to name just a few.
Ferrari, One Identity and Solidworks were named on the list but recently switched to new certificates, escaping any future outages.
HTTPS certificates encrypt the data between your computer and the website or app you’re using, making it near-impossible for anyone — even on your public Wi-Fi hotspot — to intercept your data. Not only that, HTTPS certificates prove the integrity of the the site you’re visiting by ensuring the pages haven’t been modified in some way by an attacker.
Most websites obtain their HTTPS certificates from a certificate authority, which abide by certain rules and procedures that over time become trusted by web browsers.
If you screw that up and lose their trust, the browsers can pull the plug on all of the certificates from that authority.
That’s exactly why Google called it quits on Symantec certificates last year. The search giant, and others, accused Symantec of issuing misleading and wrong certificates — and later, it was discovered that Symantec allowed non-trusted organizations to issue certificates without the required rigorous oversight. That has forced thousands of sites to trash their paid-for certificates and replace them with new ones to prevent their site from flagging up with error messages once the Chrome 70 deadline hits.
But, just as much as browsers can lose trust in a certificate authority, it can also gain the trust of new ones.
Let’s Encrypt, a provider of free HTTPS certificates, gained trust from all the major browser makers — including Apple, Google, Microsoft and Mozilla — earlier this year. To date, the non-profit has issued more than 380 million certificates.