MyCERT Advisories


MyCERT Advisories, Alerts and Summaries for the year 2018

 MA-699.042018: MyCERT Advisory – Symantec Certificate Issue
Date first published: 16/04/2018


1.0    Introduction
In March 2017, Google has discovered a problem with Symantec issued SSL certificates and roughly 30,000 SSL certificates has violated industry standards defined within the CA/B forum baseline requirements. Due to this Google Chrome and Mozilla Firefox has announced that they will gradually distrust all Symantec-issued certificates.

The process will be implemented in phases; and a key phase will start taking effect in April 2018. Symantec-issued certificates issued before 1 June 2016 will be distrusted in later versions of Chrome 66 and Firefox 60 onwards.  Updated versions of Chrome 66 and Firefox 60 are scheduled for release on 17 April 2018 and 9 May 2018 respectively.


2.0    Impact
Users visiting an affected website with a Symantec-issued certificate would encounter a Secure Sockets Layer (SSL) certificate error and will not have access to the desired website.  If not rectified, it may cause users to lose confidence in the security of these websites and affect the reputation of the affected company.


3.0 Affected Websites
Any website that using Symantec-owned brands like Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL certificates would be deprecated by Google Chrome and Mozilla Firefox browser. Meanwhile users also not able to access the contents on the affected websites when using the mentioned browsers.

4.0 Recommendation   
MyCERT advised affected website administrators who rely on Symantec issued certificates to obtain a new certificate from any of the trusted CAs such as Entrust, GlobalSign or GoDaddy to ensure that their websites remain accessible. Please visit https://cabforum.org/members/ for a list of CAs.

User also can identify impacted certificates by using web tool checker created by Digicert at https://www.websecurity.symantec.com/support/ssl-checker. This tool can help user to identify whether their Symantec-issued certificate needs to be replaced by DigiCert or not.

Generally, MyCERT advises the users of this product to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.


For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999@cybersecurity.my or mycert@mycert.org.my
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 89453442
Handphone: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 AM - 18:00 PM MYT
Web: http://www.mycert.org.my
Twitter: http://www.twitter.com/mycert
Facebook: http://www.facebook.com/mycert.org.my
Cyber999 Mobile Apps: IOS Users or Android Users
 

5.0 References
•    https://www.csa.gov.sg/singcert/news/advisories-alerts/advisory-on-distrust-of-symantec-issued-certificates
•    https://arstechnica.com/information-technology/2017/03/google-takes-symantec-to-the-woodshed-for-mis-issuing-30000-https-certs/
•    https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html
•    https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
•    https://www.bleepingcomputer.com/news/security/google-outlines-ssl-apocalypse-for-symantec-certificates/
•    https://cabforum.org/members/
•    https://www.digicert.com/blog/replace-symantec-issued-certificates-ahead-chrome-66-beta-march-15/