<div dir="ltr">And here's a nice, readable summary from the <a href="https://www.feistyduck.com/bulletproof-tls-newsletter/">Bulletproof TLS Newsletter</a> (free, recommended). <div><br></div><div>(And It's a little concerning that Symantec basically responded with "meh". I professionally recommend moving away from them as a CA. As an alternative, I'm a big fan of <a href="https://letsencrypt.org/about/">Let's Encrypt</a> - <b>free</b>, well executed, <b>automatically renewing</b>, short lifetime, high-quality certs.)<div><br></div><div>Quoting:</div><div><p style="font-family:arial,helvetica,sans-serif;font-size:16px;line-height:1.6em;color:rgb(85,85,85)">Google has <a href="https://sg.feistyduck.com/wf/click?upn=oQtz6-2BN3LpFOOQ1jijZJXM1ldT1stZa4FOoYpexB9UkNzc0jeOy8Wwb7LZNm5DHqnI9zGBMdxhxxYYa16-2FjrqZEomm-2B7extJ6NlaM18fhltIlfEDtYuibuAUGIT6zvrj_22u2kk6fF-2FF3ZKhmM3hJfALHwrGlMVtTFiln3GsyV1gyEZRVhUhGj8ssW9WBLA3yTv2NCJr4xVDZXh0ZIBRNdP2pMZreLzR0YT-2BNDh3qGgGEaUbL-2FtWJXJbS19b8zPv3eEerQ-2F6efPMa48t-2FymKSU4GgsyngcUnt6-2FvoP2Qak8gnqPYUXlS4B0GQR4cszKDaEvIm-2F5AhrP6nL4EGnWmTjqXwRUrpUTftbJ-2FTAWXszb-2F2knBqsqBchh5dG7zhGGSxMDrAB8vE0Sd0nvfSDBCd3xmm8Ib-2BEPgzb-2Ba-2Fus3lO5uL17x0-2BZQ1B6a4jvyjVfbq482sTyp0gdc4q5GjJVlTIMIn3ejpkvG7sPBWfcPMsMOcaEOPNFhzsT2140J-2F0kaCqyEznxbRNFjfcO6567Gg6pfejhiBr4IU000LXRuTgQQ-3D" target="_blank">proposed taking very severe steps against Symantec due to violations of its responsibilities</a> as a certificate authority. <a href="https://sg.feistyduck.com/wf/click?upn=P0QF-2FdKfzwSko7-2FGSbXeXCzXWkifVJHDncEFwYis9sTNioiE0Pyvmqwv91FM7uyp54rpA0l25-2FvK956lUE-2Fa95-2FFRpoK5JBjxia7phXeyF6pOQIQmK-2FM6YPlgO1Hh8kc3X4yt0Nk0GDmQ-2B9Q5Drc2sn6XUZyCRcjNeUegvPRqTUgo7hl6SXtI4HoTE4Xe4To_22u2kk6fF-2FF3ZKhmM3hJfALHwrGlMVtTFiln3GsyV1gyEZRVhUhGj8ssW9WBLA3yTv2NCJr4xVDZXh0ZIBRNdP2pMZreLzR0YT-2BNDh3qGgGEaUbL-2FtWJXJbS19b8zPv3eEerQ-2F6efPMa48t-2FymKSU4GgsyngcUnt6-2FvoP2Qak8gnqPYUXlS4B0GQR4cszKDaEvIm-2F5AhrP6nL4EGnWmTjhmJNd8Uonhg61slBXExsKquXrh2QhhkBnzmeTz3RQ8xcyXU56o-2BXrBO8MId-2B8h9YCMLUQqzBilIMif365rZC52n1MpveJi4TFFeszMWn5TX3p29CnHmgmlUMBKcBiwk1RK7bZ9XzPil3rGeseYt9F2BPmgBpHwrRp9XX9rh6UhEV3ODF8hfNWh5NP9RqdIuyun1mswT8iPhWTrtBELAdmQ-3D" target="_blank">In January, it became known</a> that Symantec had issued several certificates for domains that weren't requested by their owners. These certificates were created by the South Korean company Crosscert, to which Symantec had given access to its certificate issuance infrastructure.</p><p style="font-family:arial,helvetica,sans-serif;font-size:16px;line-height:1.6em;color:rgb(85,85,85)">Over the course of the investigation, it became clear that multiple companies had been given similar access to Symantec's infrastructure without sufficient oversight. Symantec knew about some of the problems and didn't come forward with that knowledge. All together, around 30,000 certificates have been issued by these companies.</p><p style="font-family:arial,helvetica,sans-serif;font-size:16px;line-height:1.6em;color:rgb(85,85,85)">Google now plans to phase out all currently valid Symantec certificates. Via several steps, the Chrome browser would distrust certificates with certain validity times. In the end, Symantec would only be allowed to issue certificates with a validity of nine months in the future. Also, Symantec would lose its ability to issue Extended Validation (EV) certificates. Although many people question the utility of EV-certificates, they’re a major source of income for certificate authorities due to their higher prices .</p><p style="font-family:arial,helvetica,sans-serif;font-size:16px;line-height:1.6em;color:rgb(85,85,85)">Symantec noted that <a href="https://sg.feistyduck.com/wf/click?upn=P0QF-2FdKfzwSko7-2FGSbXeXDC-2FtDbhvFRiKTSYGxJrTMoquSZn8p2QOqTPINLQXR4g3QN-2FYmB0BRLXv6IoYXrXoUAwR2llBpEWwwBnYNHrVD8-3D_22u2kk6fF-2FF3ZKhmM3hJfALHwrGlMVtTFiln3GsyV1gyEZRVhUhGj8ssW9WBLA3yTv2NCJr4xVDZXh0ZIBRNdP2pMZreLzR0YT-2BNDh3qGgGEaUbL-2FtWJXJbS19b8zPv3eEerQ-2F6efPMa48t-2FymKSU4GgsyngcUnt6-2FvoP2Qak8gnqPYUXlS4B0GQR4cszKDaEvIm-2F5AhrP6nL4EGnWmTjqeE0Rxpwkhvgud508hNJvIMH0E8apz0Pk1r-2BNKm5hPyAbzZPWA5fGwtijGTC2-2F02UmVD6Q5PaWFw4o-2BKjbo0sR15slbnsWvR2aJua7nzVQ2lf79uY9aSjeVU-2BjV6W4r0kAWK948B-2F4cxGKjcyDkg-2BlojMuX6v6XhRBeQq5-2FYFPc20ApJ-2BGOxIMZEdWOHpZeuAsuzV3QsL9mQq0TDxwnK1M-3D" target="_blank">it finds Google’s actions irresponsible</a>. In an <a href="https://sg.feistyduck.com/wf/click?upn=fYxuIZgCn6axJ2NWlsZgccdJwRwxxtwzizAPDL0Hj3htd6mSXPVknc24lX-2BypHW9z5a-2Bt3RnriHh4B7QOwZiinKiSxi3scRKkIDzr5dlZKdjnlufwPZ0WCB-2Bq0bKGC9XHQeBZ2KYFWpwUkuGGVQNC8oS9SnqjIS-2FaNri0st5G2g-3D_22u2kk6fF-2FF3ZKhmM3hJfALHwrGlMVtTFiln3GsyV1gyEZRVhUhGj8ssW9WBLA3yTv2NCJr4xVDZXh0ZIBRNdP2pMZreLzR0YT-2BNDh3qGgGEaUbL-2FtWJXJbS19b8zPv3eEerQ-2F6efPMa48t-2FymKSU4GgsyngcUnt6-2FvoP2Qak8gnqPYUXlS4B0GQR4cszKDaEvIm-2F5AhrP6nL4EGnWmTjkuklnn10yKwvF-2FP-2FnvdCikomhPsH3h-2Fz8Ngnlz20v-2B24Kp7Hxj9xv4Qr8fZfEh-2BjohI10EhTSVaKGkWdaNAW83UbSjmBR-2BY-2FCy3Mu7q3jYsrIMpjDkyI0wOJ1JkIvqWfKzadTos64E560-2Fj-2Bqg0qTNsGxEVjU-2Bi8-2FV4pxYvN52mWpiN8Z3trDA94ZdTnnSwNKD8RfVN5QYa0GR0TCxjrXI-3D" target="_blank">emailed statement, as reported by Ars Technica</a>, Symantec wrote: “Our SSL/TLS certificate customers and partners need to know that this does not require any action at this time.”</p></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 29, 2017 at 11:57 AM, Royce Williams <span dir="ltr"><<a href="mailto:royce@tycho.org" target="_blank">royce@tycho.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Urgency: not immediate - but it could impact some sites as soon as June, and could take some lead time to get ready, so analyze soon. And if you depend on visible signs of Extended Validation, that will be impacted almost immediately.<br><br>Impact: Chrome will start distrusting Symantec certs (as well as Thawte, Verisign, and other CA properties owned by Symantec) on a graduated timeline, depending on age and duration of cert. They will also stop showing visible signs of Extended Validation (EV) certs immediately.<br><br>Google announcement and discussion:<br><br> <a href="https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/eUAKwjihhBs/rpxMXjZHCQAJ" target="_blank">https://groups.google.com/a/<wbr>chromium.org/forum/#!msg/<wbr>blink-dev/eUAKwjihhBs/<wbr>rpxMXjZHCQAJ</a><br><br>Good summary of the practical upshot, with timelines:<br><br> <a href="https://github.com/sleevi/explainer/blob/master/README.md" target="_blank">https://github.com/sleevi/<wbr>explainer/blob/master/README.<wbr>md</a><br><br>Alternate checking tool:<br><br> <a href="https://www.renditioninfosec.com/socapps/sslcheck/index.php" target="_blank">https://www.renditioninfosec.<wbr>com/socapps/sslcheck/index.php</a><br><br>I also have a feature request in with Qualys to add this to the SSL Labs Server Test<br><br> <a href="https://github.com/ssllabs/ssllabs-scan/issues/477" target="_blank">https://github.com/ssllabs/<wbr>ssllabs-scan/issues/477</a><span class="HOEnZb"><font color="#888888"><br><br>Royce<br>-- <br><a href="http://www.techsolvency.com/roycewilliams/" target="_blank">Royce Williams</a><div><br></div></font></span></div>
</blockquote></div><br></div>