Google has finalized a schedule that, over the next 12 months, will send companies scrambling to replace the digital certificates that secure their websites or risk being viewed with suspicion by users running Chrome, the world's most popular browser.
"Companies are staring down the barrel of a boat load of work," said David Anthony Mahdi, a research director at Gartner, and the industry research firm's resident expert on digital certificates and the CAs (certificate authorities) that issue them. "This is massive."
Beginning with Chrome 66, currently set to show up the third week of April next year, Google will "remove trust in Symantec-issued certificates issued prior to June 1, 2016," wrote three members of the browser's security team, in a post to a company blog. "If you are a site operator with a certificate issued by a Symantec CA prior to June 1, 2016, then prior to the release of Chrome 66, you will need to replace the existing certificate with a new certificate from any Certificate Authority trusted by Chrome."
A follow-up version of Chrome, slated for debut a little more than a year from now, will untrust every Symantec certificate, no matter when it was issued. When Google removes trust from the certificates, users will begin seeing messages, some explicit, others subtler, informing them that the connection between them and the website is insecure.
During the year-long process that Google laid out this week, it will gradually untrust any certificate that chains to roots maintained by Symantec, including those issued by the brand-named CAs (certificate authorities) Symantec has swallowed over the years, like Equifax, GeoTrust, and, of course, VeriSign.
Here's the Google untrust calendar
Google's schedule looks like this:
Oct. 22-28, 2017: Google will release Chrome 62, which adds a new feature under the "Developer Tools" menu item (under the "View/Developer" menu) that shows affected certificates.
December 2017: DigiCert, which plans to buy Symantec's certificate business for nearly $1 billion, is supposed to have a new "Managed Partner Infrastructure" up and running this month, and be able to issue replacement certificates for those Chrome will untrust in 2018.
April 15-21, 2018: All Symantec-issued certificates obtained before June 1, 2016, will be marked as untrusted by Chrome 66, which will release during the week.
October 21-27, 2018: All certificates that chain to Symantec's pre-December 2017 rooted infrastructure will be untrusted by Chrome 70, slated to release this week.
Google vs. Symantec
The dispute between Google and Symantec that led to the former punishing the latter using Chrome as a club, has been months, years even, in the making.
Sign up for Computerworld eNewsletters.