{"id":2386,"date":"2018-10-10T09:02:41","date_gmt":"2018-10-10T16:02:41","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2386"},"modified":"2018-10-10T09:02:41","modified_gmt":"2018-10-10T16:02:41","slug":"delaying-further-symantec-tls-certificate-distrust","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2018\/10\/10\/delaying-further-symantec-tls-certificate-distrust\/","title":{"rendered":"Delaying Further Symantec TLS Certificate Distrust"},"content":{"rendered":"<p>Due to a <a href=\"https:\/\/wiki.mozilla.org\/CA:Symantec_Issues\">long list of documented issues<\/a>, Mozilla previously announced our <a href=\"https:\/\/blog.mozilla.org\/security\/2018\/03\/12\/distrust-symantec-tls-certificates\/\">intent to distrust TLS certificates issued by the Symantec Certification Authority<\/a>, which is <a href=\"https:\/\/blog.mozilla.org\/security\/2017\/10\/31\/statement-digicerts-proposed-purchase-symantec\/\">now a part of DigiCert<\/a>. On August 13th, the <a href=\"https:\/\/blog.mozilla.org\/security\/2018\/07\/30\/update-on-the-distrust-of-symantec-tls-certificates\/\">next phase of distrust<\/a> was enabled in Firefox <a href=\"https:\/\/wiki.mozilla.org\/Nightly\">Nightly<\/a>. In this phase, all TLS certificates issued by Symantec (including their GeoTrust, RapidSSL, and Thawte brands) are no longer trusted by Firefox (with a few small <a href=\"https:\/\/wiki.mozilla.org\/CA\/Additional_Trust_Changes#Symantec\">exceptions<\/a>).<\/p>\n<p>In my <a href=\"https:\/\/blog.mozilla.org\/security\/2018\/07\/30\/update-on-the-distrust-of-symantec-tls-certificates\/\">previous update<\/a>, I pointed out that many popular sites are still using these certificates. They are apparently unaware of the planned distrust despite <a href=\"https:\/\/www.digicert.com\/news\/digicert-completes-acquisition-of-symantec-ssl\/\">DigiCert\u2019s<\/a> outreach, or are waiting until the release date that was communicated in the <a href=\"https:\/\/groups.google.com\/a\/chromium.org\/forum\/#!msg\/blink-dev\/eUAKwjihhBs\/El1mH8S6AwAJ\">consensus plan<\/a> to finally replace their Symantec certificates. While the situation has been improving steadily, our latest data shows well over 1% of the <a href=\"http:\/\/s3-us-west-1.amazonaws.com\/umbrella-static\/index.html\">top 1-million websites<\/a> are still using a Symantec certificate that will be distrusted.<\/p>\n<p><a href=\"https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Screen-Shot-2018-10-08-at-4.16.37-PM.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-large wp-image-2390\" src=\"https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Screen-Shot-2018-10-08-at-4.16.37-PM-600x332.png\" alt=\"\" width=\"600\" height=\"332\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Screen-Shot-2018-10-08-at-4.16.37-PM-600x332.png 600w, https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Screen-Shot-2018-10-08-at-4.16.37-PM-252x139.png 252w, https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Screen-Shot-2018-10-08-at-4.16.37-PM-768x424.png 768w, https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Screen-Shot-2018-10-08-at-4.16.37-PM.png 1285w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/a>Unfortunately, because so many sites have not yet taken action, moving this change from Firefox 63 Nightly into Beta would impact a significant number of our users. It is unfortunate that so many website operators have waited to update their certificates, especially given that <a href=\"https:\/\/www.digicert.com\/replace-your-symantec-ssl-tls-certificates\/\">DigiCert is providing replacements for free<\/a>.<\/p>\n<p>We prioritize the safety of our users and recognize the additional risk caused by a delay in the implementation of the distrust plan. However, given the current situation, we believe that delaying the release of this change until later this year when more sites have replaced their Symantec TLS certificates is in the overall best interest of our users. This change will remain enabled in Nightly, and we plan to enable it in <a href=\"https:\/\/wiki.mozilla.org\/Release_Management\/Calendar\">Firefox 64 Beta when it ships in mid-October<\/a>.<\/p>\n<p>We continue to strongly encourage website operators to replace Symantec TLS certificates immediately. Doing so improves the security of their websites and allows the 10\u2019s of thousands of Firefox Nightly users to access them.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Due to a long list of documented issues, Mozilla previously announced our intent to distrust TLS certificates issued by the Symantec Certification Authority, which is now a part of DigiCert. &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2018\/10\/10\/delaying-further-symantec-tls-certificate-distrust\/\">Read more<\/a><\/p>\n","protected":false},"author":1574,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[45538,69],"tags":[],"coauthors":[320076],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Delaying Further Symantec TLS Certificate Distrust - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2018\/10\/10\/delaying-further-symantec-tls-certificate-distrust\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Wayne Thayer\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/10\/10\/delaying-further-symantec-tls-certificate-distrust\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2018\/10\/10\/delaying-further-symantec-tls-certificate-distrust\/\",\"name\":\"Delaying Further Symantec TLS Certificate Distrust - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/10\/10\/delaying-further-symantec-tls-certificate-distrust\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/10\/10\/delaying-further-symantec-tls-certificate-distrust\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Screen-Shot-2018-10-08-at-4.16.37-PM-600x332.png\",\"datePublished\":\"2018-10-10T16:02:41+00:00\",\"dateModified\":\"2018-10-10T16:02:41+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/e9d30f6a04fd425b92ce414efb490f7a\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/10\/10\/delaying-further-symantec-tls-certificate-distrust\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2018\/10\/10\/delaying-further-symantec-tls-certificate-distrust\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/10\/10\/delaying-further-symantec-tls-certificate-distrust\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Screen-Shot-2018-10-08-at-4.16.37-PM.png\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Screen-Shot-2018-10-08-at-4.16.37-PM.png\",\"width\":1285,\"height\":710},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/10\/10\/delaying-further-symantec-tls-certificate-distrust\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Delaying Further Symantec TLS Certificate Distrust\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/e9d30f6a04fd425b92ce414efb490f7a\",\"name\":\"Wayne Thayer\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/9d66cb7b8ff76e006a6f0af6fa7d949a\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/2bd1ca829153b238eca5f4da201857f9?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/2bd1ca829153b238eca5f4da201857f9?s=96&d=identicon&r=g\",\"caption\":\"Wayne Thayer\"},\"sameAs\":[\"https:\/\/x.com\/wthayer\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Delaying Further Symantec TLS Certificate Distrust - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2018\/10\/10\/delaying-further-symantec-tls-certificate-distrust\/","twitter_misc":{"Written by":"Wayne Thayer","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2018\/10\/10\/delaying-further-symantec-tls-certificate-distrust\/","url":"https:\/\/blog.mozilla.org\/security\/2018\/10\/10\/delaying-further-symantec-tls-certificate-distrust\/","name":"Delaying Further Symantec TLS Certificate Distrust - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/security\/2018\/10\/10\/delaying-further-symantec-tls-certificate-distrust\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/security\/2018\/10\/10\/delaying-further-symantec-tls-certificate-distrust\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Screen-Shot-2018-10-08-at-4.16.37-PM-600x332.png","datePublished":"2018-10-10T16:02:41+00:00","dateModified":"2018-10-10T16:02:41+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/e9d30f6a04fd425b92ce414efb490f7a"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2018\/10\/10\/delaying-further-symantec-tls-certificate-distrust\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2018\/10\/10\/delaying-further-symantec-tls-certificate-distrust\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/2018\/10\/10\/delaying-further-symantec-tls-certificate-distrust\/#primaryimage","url":"https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Screen-Shot-2018-10-08-at-4.16.37-PM.png","contentUrl":"https:\/\/blog.mozilla.org\/security\/files\/2018\/10\/Screen-Shot-2018-10-08-at-4.16.37-PM.png","width":1285,"height":710},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2018\/10\/10\/delaying-further-symantec-tls-certificate-distrust\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Delaying Further Symantec TLS Certificate Distrust"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/e9d30f6a04fd425b92ce414efb490f7a","name":"Wayne Thayer","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/9d66cb7b8ff76e006a6f0af6fa7d949a","url":"https:\/\/secure.gravatar.com\/avatar\/2bd1ca829153b238eca5f4da201857f9?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2bd1ca829153b238eca5f4da201857f9?s=96&d=identicon&r=g","caption":"Wayne Thayer"},"sameAs":["https:\/\/x.com\/wthayer"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2386"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1574"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2386"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2386\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2386"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2386"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2386"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2386"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}