Mozilla has announced that it will continue to trust Symantec certificates for longer than planned because many parties are still using them. It has been known for some time that Mozilla and Google, among others, will withdraw confidence in the certificates.
In a blog post, Mozilla cites statistics indicating that more than one percent of the one million most popular sites on the Internet still use certificates issued by Symantec, which includes GeoTrust, RapidSSL and Thawte. As a result, the organization has decided to postpone the next phase of its distrust of Symantec certificates from the Firefox 63 beta to the 64 beta, with the stable release due in December. At this stage, with some exceptions, trust in all certificates issued by Symantec is lost.
With this delay, Mozilla hopes to give sites more time to switch certificates. It refers to DigiCert, which last year bought Symantec’s certificate business, which offers free replacement certificates. Slowing down the process should also result in fewer users experiencing problems with sites that still use Symantec certificates, and should also reduce the risk to those users. Researcher Scott Helme previously published an overview of sites that still use old certificates.
Google plans to revoke trust in Symantec certificates with the release of Chrome 70. This version of the browser should be released on October 16. Google has not yet announced anything about a possible postponement. Chrome 70 is the final step in Google’s previously announced schedule, which Mozilla also refers to. Trust in Symantec certificates is being canceled because, among other things, the company had incorrectly issued certificates.
Google Scheduling for Symantec Certificates