Last call for “unsafe” websites as Chrome 70 rolls in

Oct 15, 2018
Vote on Hacker News
 
Chrome 70, the updated web-browser from Google, is due out on October 16th. The websites lacking appropriate SSL certificates will display a highly deterring “unsafe” warning sign. Thousands of websites are in cross-hairs.
 
 

What’s an SSL certificate?

 
You may have noticed some websites begin with http:// and some with https://. The extra “s” means it is secure and from tomorrow onwards will mean an awful lot to web users.
An SSL certificate (Secure Socket Layer) is a way to establish an encrypted connection. Encrypted meaning secure and it is vital for online shopping. Would you send in your credit card numbers via an unsafe website?
SSL certificates are temporary and need to be renewed. They are issued by various certificate providers. Some of which have proved, in the past, to be less reliable than others. One of them, in particular, is Symantec and its subsidiaries.
 

From padlock to a warning sign

 
Depending on the web browser, you’ve already come across le padlock symbol. Sometimes open (unsafe) or close (safe), sometimes green (safe) or red (unsafe).
With Google’s update of its star browser Chrome, last summer, warnings were not that subtle anymore. An ungracious “not secure” sign before the URL makes sure you think twice before entering the website if you noticed it.
After the October update, a massive warning sign will make you run away with a scream. It’s always possible to go past it but hardly recommended.
 

What is wrong with Symantec SSL certificates?

 
Through various mishaps in the past, Symantec lost the trust of Google. It started back in 2015 with a batch of bad test certificates. Symantec reiterated the following year and “issued 33 bad certificates” when Google counted 30,000. From then on, Symantec certificates were hunted down by Google. Tomorrow comes the final nail in the Symantec coffin and the websites hosting certificates from Equifax, GeoTrust, RapidSSL, Thawte, and VeriSign dating back to 2016.
 

Brutal yet not unexpected

 
The method is brutal but not unexpected. The announcement setting the deadline this month dates back to a year ago. A year to comply and adopt another SSL certificate. Yet, about a thousand of the top million websites don’t comply. And many more that didn’t make it in the top million.
Mozilla, the Firefox editor, will proceed the same way but has decided to give a little more time to users. Google will not. What about your website? Is it ready?