Google has released the first nightly build of Chrome 70 for developers, which drops support for all certificates issued by Symantec’s old certificate authority infrastructure before 1 December 2017.
The issue with Symantec’s certificate authority dates back to March 2017, when Google and Mozilla engineers discovered that Symantec misissued 127 SSL certificates. As an investigation continued, the estimate grew to 30,000 certificates.
Bleeping Computer reported that because Symantec was one of the biggest certificate authorities on the Internet, few dared react.
Google took the lead with a proposal to remove support for Symantec’s certificates in Chrome, including Symantec-owned brands like Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL. The rest of the industry followed its lead.
One of the major problems Mozilla and Google uncovered was that Symantec had misissued test certificates between April 2009 and September 2015.
Mozilla reported that this included domains Symantec did not own or control, and for which domain validation was not performed.
Among the domains in Symantec’s publicly-trusted hierarchies was a certificate for www.google.com.
A beta version of Chrome 70 is expected to be available by the end of August, with a full release set for 16 October 2018.