From October 16, Google will start to roll out the next Chrome version, Chrome 70. It will further strengthen security, but it could spell trouble for thousands of websites as websites using old security certificates may stop working.
According to security researcher Scott Helme, more than 1,000 sites in the top 1 million websites based on Alexa rankings will be affected when Chrome 70 comes out. Some of the affected websites include many government sites from Tel Aviv and India and also Penn State Federal Credit Union. Websites such as Ferrari and Solidworks were also on Helme’s list, but they have since changed their certificates, so they should not face problems now.
“It’s worth noting this list is not exhaustive but I do cover the whole of the Alexa top 1 million. It also won’t find things like subresources on a page using a legacy Symantec certificate that will break, this is just the cert for the site itself,” Helme said in a blog post.
Once Google Chrome 70 is launched, users visiting affected sites will see a security warning.
Last year, Google found that Symantec had improperly issued security certificates. It was also discovered that Symantec gave many organizations the authority to issue certificates despite being aware of security issues with those organizations. Google warned then that it would stop supporting sites with such certificates.
HTTPS certificates are used to encrypt data between the site you are accessing and your system. The encryption makes it impossible for anyone to snoop on your data. HTTPS certificates are also proof of the integrity of the site, which suggests a hacker has not edited the pages.
HTTPS certificates are usually issued by a certificate authority and they follow certain rules and procedures. Over time, web browsers start trusting such certificates, but if that trust is broken, browsers can end support, and that is what Chrome 70 is doing.
Notably, the use of old certificates won’t get sites blocked, at least for now. Users visiting such sites will see a security warning at first, but going forward, Google may decide to ban these sites, considering that it made Symantec aware of the issue last year. Google already started distrusting some certificates in Chrome 66.
Google is expected to drop trust for HTTPS security certificates issued by Symantec before June 2016.
