Major Chrome SSL certificate issue – Could your site now be insecure?

By Graham Hansell | Trust & Technology

Apr 16

 

Chrome is not accepting Symantec SSL certificates from the 17th April 2018. Check and update your certificate ASAP.

Reading time: 3 mins 40 sec

As from the 17th April 2018, your website might just be about to go insecure with all Chrome users – Google Chrome will no longer be accepting the Symantec SSL certificate.
To put this into context, this could affect ‘one out of every two’ of your customers – as powerful as that sounds Google Chrome is used by over 50% of the worlds Mobile, Tablet and Desktop web browsers, now I’ve got your attention best you read on…

Here’s the story so far, Google has fallen out with a company called Symantec over the leaking of private keys of secure domain certificates.
You probably never noticed or even +heard of it, but this particular spat has had a butterfly effect that we will all feel from today.
You could see this as another example of how the Web has fallen into the powerful hands of just a few companies (Facebook, Google, etc.) but it seems to be in this case that Google has been right in not trusting Symantec. 

Google Chrome developers have decided to ignore all secure certificates from the following issuing authorities:

  • Thawte
  • VeriSign
  • Equifax
  • GeoTrust
  • RapidSSL

This means if your website has a secure certificate issued by one of these companies it will become useless to your website for all Chrome users.
The result will look something like below when they go to your domain using the Chrome browser (by any means not just search!).

SSL certificate distrusted by Google Chrome and other major browsers

This doesn’t look like the start of a happy visit, does it?

To give you some context, Chrome makes up over 50% of the worlds Mobile, Tablet and Desktop web browsers, so having this happen in Chrome is a big deal.

Google Chrome is the most popular browser worldwide

Chrome Rules the World

Yes, Google Chrome is represented by Green in this World Map from 2017. In addition to the coming of GDPR, secure websites are even more important as anytime any personally identifiable information (PII) is being handled by a company it needs to be secure. Therefore any enquiry form should be secure, not just e-commerce sites.
The timeline for this has been-

  • 15 March 2018
    • On or around March 15, 2018, a Chrome 66 beta release will distrust all Symantec SSL/TLS certificates issued before June 1, 2016.
  • 17 April 2018
    • Google plans to release the public version
  • September 13, 2018
    • a Chrome 70 beta release will distrust all Symantec SSL/TLS certificates issued after June 1, 2016.
    • Google plans to release the public version mid-October 2018.

To get a size of the problem a test was done in February showed of the Top Alexa sites one million websites, 11,510 are going to go insecure in April, with another 91,627 on going to be hit in October. You can see a quick test of those that were using Symantec SSL all have updated since.
Those included:

 

Testing the traffic impact

In Google Analytics you can test your traffic to see if the new Chrome 66 version browser is getting impacted quickly with a custom segment.

  1. Go to Google Analytics and login
  2. Select the Audience Overview Report
  3. Google Analytics Audience Overview
  4. Create a customer segment for Google Chrome Users
    Custom Chrome Users Segment Analytics

    Just add a Custom Segment for Google Chrome and even try Version 66

Once you have done this look at the daily Chrome Browser traffic for today by the hour compared to the previous day, is there a change? Then compare to the same day the previous week, again any change?

If you are seeing a constant drop hour on hour this could be the insight that your SSL certificate is scaring people using Chrome away.

Your next action is to prove it is your SSL certificate causing the problem.

Is your SSL Certificate affected?

This is technical and if you have a web developer/agency or site support team it is best to talk to them first but you can test free of charge yourself using the links below.

First step is to test if your certificate is at risk.

There are a few options and it is worth testing on a couple of services as they are all free of charge.

Hopefully, you find everything is up to date (normally using Digicert or Comodo) but if not your team will have to fix it ASAP!

How to fix your SSL certificate for Google Chrome

Options are to move to upgrade with the new company who owns the Symantec SSL business (DigiCert) or move to another provider for free.

Or you can use the free upgrade from Comodo

Or replace your certificate for free with this open source service (backed by Google Chrome)

Once you have updated your certificate then it might be interesting to test others, check your competitors, see if they’re secure or are they going insecure for Chrome browser uses? If they are what tactics could you use to capitalise on it, it if you’re feeling friendly how about telling them? Remember – Knowledge is power

Checklist:

  • From 17th April 2018 Google Chrome stops accepting some Symantec SSL certificates
  • October 2018 all Symantec SSL certificates will be ignored
  • eCommerce sites and any sites using lead generation forms will need to be secured (GDPR requirement)
  • Check your site’s certificate is going to be secure
  • Check your competitors

Confused? Concerned? Not getting the help you need?

Follow

About the Author

Founder of both SiteLynx and SLX marketing. Leading web marketing planner and trainer.