Page MenuHomeMiraheze

Web browsers distrusting Symantec certificates
Closed, ResolvedPublic

Description

Google Chrome is distrusting Symantec certificates. This means after the deadline, anyone using Google Chrome to wikis with old certificates will get "Untrusted certificates" warning upon connect. We need to make sure crats are aware of this threat and help transitioning. Firefox is also following the same way.

Rough timeline:

DateAction
2017-12-01DigiCert (who bought Symantec's TLS business) should be able to provide new certificate for the old site.
2018-03-15Chrome v66 beta released, which will distrust certificates issued before 2016-06-01. None in Miraheze fleet.
2018-04-17Chrome v66 to stable.
2018-05-01Firefox v60 released to Stable, distrusting certificates issued before 2016-06-01.
2018-09-23Chrome v70 to beta, completely killing old Symantec certs.
2018-10-16Firefox v63 to stable, completely killing old Symantec certs.
2018-10-23Chrome v70 to stable.

As far as I can see, only certificates affected by this is savage-wiki.com, which is expiring by 2020-12-04.

Event Timeline

revi triaged this task as Normal priority.Jan 6 2018, 18:16
revi created this task.

Support mail sent to RapidSSL support:

Hi,

Given Google's plan to distrust Symantec's infra[1], our users, who are also your customers, will need to find a replacement. Is there any KnowledgeBase page or any information related to this? As far as I can see, RapidSSL and the fleet will no longer be trusted after 2018-10-23, but your KnowledgeBase page[2] says "there is no immediate customer action required at this time." which is no longer true.

Thank you.

[1]: https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html
[2]: https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=ALERT2389&actp=RSS&viewlocale=en_US

RapidSSL response:

RapidSSL has updated our Web PKI hierarchy to modernize and streamline our Public SSL/TLS certificate offerings, and align with changes requested by the browser community. We are now issuing all new Public SSL/TLS certificates from new intermediate CAs. 

Please see new web pki hierarchy details here: https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=INFO4610

You simply need to replace your certificates to ensure they remain trusted until their expiry dates.

Please see key replacement dates here: https://www.symantec.com/connect/blogs/information-replacement-symantec-ssltls-certificates

They should make it visible in their Knowledge Base....

And this means the problematic cert will be fine until 2018-09-13.

Just as a concept, used-to-be-Symantec certs' issuer looks like this now (after 2017-12):

Issuer:
    commonName                = GeoTrust RSA CA 2018
    organizationalUnitName    = www.digicert.com
    organizationName          = DigiCert Inc
    countryName               = US

We should be checking this before adding new Geotrust/RapidSSL/Thawte certs (which is all used-to-be-symantec). Notably organizationName = DigiCert Inc.

OK, after taking another look, savage-wiki.com looks like it is safe from Symantec distrust. (Its issuer is DigiCert, and the link by RapidSSL support says "We expect to issue all new Public TLS certificates from this hierarchy starting November 10, 2017." and the cert notBefore date is 2017-11-15", so it looks like they're safe, but I'm not sure since it's just 5 days.) I will reconfirm if they have anything on their inbox or such.

Ref:

Safari_2018-01-16 09-26-17@2x.png (754×1 px, 163 KB)

Even if they are unaffected, I'd better keep task open until the Cr70 stable promotion.

Quick overview, FYI.

Things to have a lookRapidSSL by Symantec (BAD)RapidSSL by DigiCert (GOOD)
Certificate sampleprivate.revi.wikisavage-wiki.com
Issuer CommonNameRapidSSL SHA256 CARapidSSL RSA CA 2018
Issuer organizationNameGeoTrust Inc.DigiCert Inc
CPShttps://www.rapidssl.com/legalhttps://www.digicert.com/CPS
OCSP URLhttp://gp.symcd.comhttp://status.rapidssl.com
MiscBad one has "Precertificate" data[1]none

[1]: Symantec made mis-issurance problems in the past (before this incident) and they were asked "Make use of Certificate Transparency System or we will kill your business".

Hi Revi. After reading this do I still need to do a reissue with RapidSSL? They had sent an email asking me to replace my certificate. Let me know if I do!

@Slinkyspectator Hi, in that case, since RapidSSL sent you a message asking replacements, I think you should do that. We'll post CSR later today, so you can start replacing process as soon as possible. Thanks!

@Slinkyspectator here's your CSR:

-----BEGIN CERTIFICATE REQUEST-----
MIIC2DCCAcACAQAwZjELMAkGA1UEBhMCTkwxFDASBgNVBAgMC05ldGhlcmxhbmRz
MRQwEgYDVQQHDAtOZXRoZXJsYW5kczERMA8GA1UECgwITWlyYWhlemUxGDAWBgNV
BAMMD3NhdmFnZS13aWtpLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALh/eJBtOtj5M4T/cNlhfPR1PE5VNJs/Eub0dT2/MFW0CinO8cYnquz1xuUO
iR0sOX2vrcyaMrPhC7FiLMegyxdzQTo/DhNYN0Q88Gsx6Wm1kfPZOtyWbxxPwy1y
Fw9qbWqAA5GLvzwokvTB/2Ak/vVeQxIkhAj0djjnNjqEV3vwqw21YSV75vWG1wgL
2AMcSK2dC0DyBYKIBWPMgnnhe8MKArFjXdlXOtIh6F1+DQmNvaCHTpqYeqhLrD6C
mB9lGUguOg2TMyTE8BHuXblUHqP1ZQY1KaoUg/JFHGDWcSyxyUaD5gXT/UqFkc0a
CnEqHmT/m1BZ8a6v9lzGR5p3IoMCAwEAAaAtMCsGCSqGSIb3DQEJDjEeMBwwGgYD
VR0RBBMwEYIPc2F2YWdlLXdpa2kuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCVCGuI
L+beVn17SySokh18hTt9lwoZrrhvRUrkcvwj46H1+oAGvtYrEB0O7XMsY6qcwvU9
YL7l3zjsole5cshdjsVDtAwersMm2mNvB2fy505pJLTKFPJ+Nw84wqHkR4sxYyGS
WEGmUjIWRjNbxeGXorcw6sRLrrTf5255W4lCuxdJtjq8AB6STOKg8jZ0uwAsd3Fy
W5diad4a6i9tIVcjrgL1h1lWB7fj9bAgiWEEWIbKsnHEV5W5KwTc6FnCuLckepgG
7UixdrN+UlU6+Sxe8Zckzjv0xvAWF+b+pntcKTJucqp05hQUizLRM94v8Hroogl0
O+LqFeTKEs8OhsAF
-----END CERTIFICATE REQUEST-----
revi renamed this task from Google distrusting Symantec certificates to Web browsers distrusting Symantec certificates.Jan 27 2018, 19:13
revi updated the task description. (Show Details)

@Slinkyspectator Hi! It's been over a month and we have not received a new SSL certificate.

These are the new certificates, I downloaded for PKCS#7 & X509. If these are not the right ones let me know!

revi changed the task status from Open to Stalled.Mar 11 2018, 10:44
revi claimed this task.

We're now free from old Symantec infra certificates (with crt.sh/339129070) but I'm leaving this open until Chrome v70 stable date, so we don't forget this.

Zylc raised the priority of this task from Normal to High.Jul 8 2018, 18:00
John lowered the priority of this task from High to Low.Jul 8 2018, 18:26
MacFan4000 raised the priority of this task from Low to Normal.Jul 8 2018, 19:03
John lowered the priority of this task from Normal to Low.Jul 8 2018, 19:19
MacFan4000 raised the priority of this task from Low to Normal.EditedJul 8 2018, 19:55
MacFan4000 subscribed.

But this was the prio before

John lowered the priority of this task from Normal to Low.Jul 8 2018, 20:03
John subscribed.

And I'm reprioritising it because its a stalled, blocked on upstream waiting for October.

If we’re not using the certs anymore then.