For the past few months, Google has been engaged in a highly public battle with Symantec, one of the largest providers of SSL certificates in the world.
Google says that Symantec, whose root certificate also powers popular SSL brands such as Norton, Thawte, GeoTrust, RapidSSL, and TC Trustcenter, has mis-issued over 30,000 certificates!
Google (along with Mozilla) is particularly worried about Symantec’s Extended Validation (EV) SSL certificates, which are supposedly only issued after Symantec takes extra steps to verify the identity of the holder.
Google says Symantec’s process for verification isn’t trustworthy, and has since announced that by next Fall, they will eventually not trust all affected brands.
Which brands are affected?
Norton, Thawte, GeoTrust, and RapidSSL all use Symantec’s root certificate, which means their SSLs will be no good relatively soon.
What this means for your business
If you have an SSL certificate issued by any of these brands, your site will no longer be considered secure in Chrome or Firefox starting in April of 2018.
That means instead of seeing the green padlock and your company name in the URL bar, visitors will go to your site and see something like this:
Yikes. To avoid that from happening, you need to take some steps.
What you need to do
1. Replace your soon-to-be distrusted SSL certificate
You’re going to want to replace your compromised SSL as soon as possible. So which brands that are still trusted by Google?
Any of the ones not listed above should do the trick, but some of the most popular are GoDaddy, Comodo, and Digicert.
2. Remove the distrusted SSL trustmark
Many brands let you use trustmarks to show visitors that your site has a valid SSL certificate. Normally, that’s wonderful. But in this case, if you’re using an affected brand, you’re basically advertising that you’re using a faulty product.
If you have any indication on your site—in your footer, in your checkout page, on your product pages—that you’re using a compromised SSL certificate (like in the above image), you need to remove it from your site.
3. Show off your site’s security
Now that you’ve removed the problem certificate from your site, at the very least you should display an SSL trustmark that lets customers know you’re using a brand that Google and Mozilla approve of.
To do this, add a security certification to your site. In addition to showing people you have a valid SSL certificate, it’ll also let them know your site is free from malware, phishing, and other malicious software. In short, it’ll let them know you’re safe to do business with.
The Symantec-Google kerfuffle is a stark reminder that security isn’t guaranteed on the internet, even from an incredibly established company like Symantec. They can, and did, goof up on a tremendous scale. Your customers know this too, and so taking steps to let them know you’re one of the good guys can benefit your business immensely.