Apple has announced its plans to distrust Symantec CA Brand SSL certificates. The distrust will be done in two phases, starting this Summer.

If you have followed this story from its beginning, this comes as no surprise. Google announced plans to distrust Symantec CA Brand SSL certificates last year, with the first phase beginning in April. Mozilla has also announced it will distrust Symantec CA Brand SSL certificates in conjunction with Google. Microsoft hasn’t given much indication of when it will act, but it tends to follow suit with the other browsers.

Symantec CA Brand refers to all Symantec SSL brands, including its eponymous line, RapidSSL, GeoTrust & Thawte.

Here’s Apple’s timeline:

Summer 2018: Partial distrust of Symantec CAs

  • TLS server certificates issued before June 1, 2016 or after December 1, 2017 will be distrusted.
  • TLS server certificates issued between June 1, 2016 and December 1, 2017 will be trusted if they have been published to a trusted CT log.

Later date: Full distrust of Symantec CAs

  • TLS server certificates issued from Symantec CAs listed below will be fully distrusted.

The first date, due this Summer coinciding with a major software update, is for any SSL certificate issued off the Symantec roots before June 1, 2016 and after December 1, 2017. Then, later this Fall, Apple will distrust the rest of the Symantec CA Brand SSL certificates.

How did Symantec get distrusted?

By playing too loose with the rules. Symantec all but invited extra scrutiny by having two mis-issuance events, one in 2015 and another in 2016. This got Google to take a closer look at what was actually going on behind the scenes and Google did not like what it saw. Symantec had delegated parts of validation to Regional Authorities in certain jurisdictions. It failed to properly oversee those RAs, which in turn caused Google to lose trust in Symantec’s entire PKI.

PKI is Public Key Infrastructure. Think of it as an ecosystem with interacting mechanisms for validation, issuance, and revocation that produce an environment where publicly trusted certificates can be created. Most end users only ever interact with the end product, the certificate itself. But if any part of the underlying infrastructure is compromised, it poisons the whole ecosystem. Suddenly, publicly trusted certificates can’t be taken at face anymore. The entire trustworthiness of the CA operating the PKI is diminished.

And browsers don’t mess around when it comes to user safety. Check the release notes with any browser and typically the most prolific category on the list are the security upgrades. If there is even the remotest chance that a PKI is compromised, the browsers will act definitively to ensure its users are kept safe.

In this case, that means distrusting Symantec CA brand’s entire PKI. It’s also worth noting that Symantec did itself no favors by failing to offer a robust response to Google’s initial attempt to negotiate. Google was more or less holding Symantec’s death warrant and the CA didn’t seem to realize it until there were definitive dates on the table. Even then, Google still delayed the deadline once just to let Symantec get its affairs in order.

By Fall of 2017, Symantec had sold its entire CA operation to DigiCert and (with the exception of a 30% ownership stake in DigiCert) left the market.

Fool me once, shame on you…

Fortunately, Comodo CA doesn’t have any issues with its PKI. It’s universally trusted and Comodo CA is held in high esteem by the CAB Forum and the rest of the SSL industry.

Apple’s distrust doesn’t really change a whole lot big picture-wise. Its dates are after Google’s, and considering Google owns the lion’s share of the Browser market, Google’s dates have been the definitive deadlines. But, Apple officially announcing its plans to distrust Symantec serves up some headlines that serve one more reminder that Symantec CA customers are running out of time to replace their certificates.

A recent Comodo CA study found there are still over 1,000,000 websites using the ill-fated Symantec certificates. Those users face a very real choice. You can re-issue or renew with your current brand, now owned by DigiCert, and hope for the best.

But why risk it? Comodo is the number one commercial CA in the world. What’s the expression? Fool me once? Shame on you. Fool me twice? Shame on me.