Over the years, Chrome has removed digital certificates from Authorities that it does not trust to guarantee security. Google today announced finalized plans to remove trust from certifications signed by Symantec due to security lapses that jeopardize the web’s system for identifying websites.
A Certificate Authority issues digital certificates that authenticate and ensure you are visiting a legitimate site as often denoted by the HTTPS lock.
Symantec’s questionable security decisions date back to 2015, but finally came to a head earlier this year. Due to various Symantec Certificate Authorities not following industry standards, as well as Symantec being aware of the flaws, the Chrome team lost “confidence in the trustworthiness of Symantec’s infrastructure, and as a result, the certificates that have been or will be issued from it.”
For its part, Symantec decided to transfer management to an “independently-operated Managed Partner Infrastructure” and sell its division to DigiCert, while rebuilding its infrastructure. Throughout this process, site operators need to take steps to replace their old Symantec certificates or face users encountering a warning.
After much debate in the community about the time frame to phase out the Symantec certificates, Google is widely sharing its plan. Beginning with version 66 set to hit the stable channel in April of 2018, Chrome will begin removing trust in Symantec-issued certificates prior to June 2016.
Meanwhile, as Symantec completes its transfer to DigiCert, certificates issued by the older Symantec infrastructure will no longer be trusted. Google ultimately plans to remove trust in the older certificates by October 2018 with the release of Chrome 70.