one,
process
In March 2017, investigators from Google and Firefox found that Symantec had broken industry rules and issued 127 SSL certificates by mistake.
The number shocked industry experts as Symantec is one of the largest CAs on the market and few dared to react. Google was the first to express dissatisfaction with the Symantec SSL distribution program and announced its intention to phase out support for Symantec certificates in Chrome.
Google pointed out that Symantec's failure to properly verify the domain name was too hasty in the identity verification of applicants for SSL certificates for special domain names. In addition, Symantec employees have neither performed log audits of unauthorized certificates nor made improvements to this flaw. Therefore, Google believes that Symantec does not have enough monitoring capabilities.
This isn't the first time Google has warned Symantec about mis-issued certificates
In September and October 2015, Google discovered that Symantec's Root CA had issued thousands of certificates for numerous domains, including Google-owned and non-existent domains, without consent. Google believes that the certificates issued by this Root CA may be used to intercept, disrupt or impersonate the secure communications of Google products or users and Symantec, knowing the above threats, would not elaborate on the purpose of issuing these certificates.
In December 2015, Google announced that Chrome, Android and other Google products would no longer trust Symantec's "Class 3 Public Primary CA" root certificate.
Final Results
At first Symantec denied all the noncompliance with what it called "exaggerated and misleading" results. Still, Symantec had foreseen a bad outcome and eventually negotiated a consensus. On July 28, Google announced that the proposal agreed by Symantec would extend the implementation time from the original plan of Chrome 62 in October this year to April next year (Chrome 66), phased implementation and finally completely remove the SSL certificate for Symantec. of trust.
Phase 1 Symantec Becomes Sub-CA Dec 1, 2017
December 1, 2017 - Symantec partners with another SSL Certificate Authority to issue certificates under the Symantec name. Symantec will technically be a sub-CASub CA.
Google and other browser makers want to move SSL issuance to another CA's infrastructure to prevent Symantec from breaking the rules and issuing certificates to sites that shouldn't be issuing certificates. Meanwhile Symantec could silently prepare a new infrastructure to build its new SSL business. However, the company has begun to consider selling the CA business.
Phase 2 Chrome 66 does not trust some Symantec certificates April 2018
When Google Chrome 66 was released, the second phase of penalties was expected to begin in April 2018. Starting with Chrome 66, Chrome will not trust all Symantec SSL certificates issued before June 1, 2016.
Phase 3 Chrome 70 does not trust all Symantec certificates at all Oct 2018
When Google Chrome 70 was released, it was expected in October 2018 that Chrome would not trust all Symantec SSL certificates issued before December 1, 2017.
Google Chrome will delete all of Symantec's current root certificates. Other CAs acquired by Symantec, such as GeoTrustThawte and Rapid SSL, will suffer the same penalty. FirFox, Safari and other browser makers may follow suit soon. Website managers using Symantec SSL certificates and their GeoTrustThawte and Rapid SSL certificates on their applications or websites should replace other globally trusted SSL certificates as soon as possible.
Reference:https://www.cnbeta.com/articles/soft/636841.htm
2. Youdao appeared on April 24, 2018
(1) safria browser is ok
(2) Firefox is ok
(3) Chrome is a reported insecurity problem
(4) The company's
