News

Microsoft Edge and IE Browsers Dropping Symantec Security Certificate Support

• By Kurt Mackie
• 10/04/2018

Microsoft announced on Thursday that its Edge and Internet Explorer (IE) browsers will stop trusting certain SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates that were issued by former certificate authority (CA) company Symantec.

Organizations running Web sites should check that they aren't using certain Symantec certificates issued after various dates, as listed in Microsoft's announcement. These certificates were issued by Symantec and its affiliated brands, namely Equifax, GeoTrust, RapidSSL and Thawte. Organizations will need to replace those certificates, if used, with ones "signed by a non-Symantec root," Microsoft's announcement explained.

Microsoft's terse announcement didn't indicate when the Symantec certificates would get distrusted by the Edge and IE browsers. Presumably, these certificates are getting distrusted this month, as Microsoft started deprecating them last month.

Symantec CA's public key infrastructure (PKI) was acquired by DigiCert at the end of October 2017. DigiCert has been working with browser makers Google, Mozilla, Apple and Microsoft to address problems with Symantec's PKI that caused browser makers to distrust Symantec-issued security certificates. DigiCert had also indicated that it would replace the certificates on its end "at no cost," following a schedule that it suggested wouldn't disrupt affected organizations.

DigiCert has provided information about the free certificate replacements at this page. Affected organizations were supposed to have received a message from DigiCert of the need for certificate replacement. There's also a Web-based tool, issued by Symantec, that will check for the untrusted certificates.

Distrust of Symantec as a CA company by browser makers was kicked off last year by Google. A CA is supposed to validate domain controls, protect their PKI infrastructures and check audit logs for invalid certification releases. Google, though, had questioned Symantec's practices as a CA.

Last year, Google issued its "plan to distrust Symantec certificates" for the Google Chrome browser, which included a timeline for organizations to follow. The release of the Chrome 70 browser "around the week of October 23, 2018" will "fully remove trust in Symantec's old infrastructure and all of the certificates it has issued," Google explained.

Mozilla reacted similarly to Google, and indicated in a March announcement that Firefox 63 will "distrust Symantec root certificates for website server TLS authentication" starting in October 2018. However, Mozilla seems to be going bit further as it'll distrust all Symantec certificates, regardless of the issuance date, with the exception of certain "whitelisted subordinate CAs."

Apple had laid out its policies regarding Symantec certificates in an August announcement. Apple's plan is similar to Microsoft's, but Apple's announcement didn't indicate exactly when the Symantec certificates would get distrusted.

Microsoft's announcement on Thursday may have been its first public disclosure of its plans to deprecate Symantec certificates. According to a Microsoft TechNet forum post, organizations running Web sites can address the problems associated with the Symantec certificates by "reissuing certificates to your internal computers from your internal PKI," adding that "once the internal machines all have certificates from your internal CA, you can stop using Symantec for your internal needs." That advice comes from former Microsoft senior engineer Mark B. Cooper, president and founder of PKI Solutions Inc.