Cavete Symantec Testimonium Exspirare Martiis (Beware the Symantec Certificates Expiring in March)

Last updated at Wed, 21 Mar 2018 17:39:50 GMT

This is a follow-up post to our December 2017 gift certificate piece discussing the 2018 schedule for distrust of Symantec certificates by Chrome and Firefox browsers.

The Ides of March have come and gone and (as promised) we decided to see whether sites have heeded the sooth-sayings of Google (is it more than coincidence they chose the March 15th as the first warning date for the initial culling of Symantec certs?).

Scene I.

All SSL on IPv4.

The Rapid7 Labs team took a look at the most recent (2018-03-13) TCP port 443 (SSL) IPv4 scan results and found over 32.8 million SSL certificates (remember, we just pick up what we see at the IP-level, so these are — if anything — the low-end of the statistics since there are scads of virtual hosts and content-delivery networks out there).

Scene II.

The field of Symantec certs.

From this corpus, we discovered over 5.8 million Symantec (including all sub-issuers) certificates. That’s nearly 18%, but down from the over 7.2 million we found for the December report. Of those 5.8 million, ~271K (5%) have already (by date) expired, leaving around 5.6 million active certificates with valid dates.

Scene III.

The cull.

From the 5.6 million that still have valid dates, ~292K (5%) will expire before the April 17, 2018 (Chrome 66 release) deadline — meaning they won’t be trusted by any browser.

The other 95% (roughly 5.3 million) still have valid certificate dates and will be distrusted by Chrome and Firefox in October of 2018 when Chrome releases version 70.

FIN

While some progress has been made, more work still needs to be done.

Certificates that become invalid due to time-validity expiration generally get cleaned up by the service owner either due to renewal calendar-reminders knowing that most client libraries will not setup encrypted communications using a time-expired certificate. Site owners of certificates in red in the daily count graphic are in for shock if they’re not paying attention to the Symantec distrust issue (which is one reason we continue to report about the topic to do our part in getting the word out).

InsightVM and Nexpose customers can use the certificate checks in those tools to identify these “toxic” certificates. Hopefully Safari and Edge will follow the lead of Chrome and Firefox to help underscore the need for action (seeing your site fail to load in a browser can be a great impetus for action).

Rapid7 Labs will continue to monitor the certificate landscape as the October 2018 cutoff approaches and provide occasional updates until the final deadline hits.