COMMENT:

If there‘s one thing the ICT industry has become better at over the years, it‘s the “information” part of the acronym that defines it.

That doesn‘t get important messages out, as I noticed recently after my web browser blocked access to some bank and government sites, saying their digital certificates are invalid.

These are the Transport Layer Security or TLS credentials, the pieces of code that are the foundation of the padlock in your browser.

Advertisement

They try to verify that the site you‘re talking to is the one you intend to hand over sensitive information to, and encrypt your communications going over the hostile internet.

It‘s pretty important stuff and when I saw that Chrome, the world‘s most popular web browser, deemed that banks like ANZ and the New Zealand Companies Office sites were unsafe to use and blocked access to them, I took notice.

I‘m using an early version of build 70 of Google‘s Chrome web browser. Looking more closely at the error message, it told me the problem was the sites were using older Symantec certificates.

They‘re actually still valid, but Google decided last year that Symantec had mucked up how it manages TLS certificate issuance and therefore, Chrome would no longer trust digital credentials issued by the security vendor and associated companies.

Symantec, and the companies it bought like Thawte, was a household name in the TLS business with lots of customers worldwide.

It was a very public spat that ended with Symantec getting out of the TLS cert business in December last year. Google made it clear that from April this year, Chrome build 68 would not trust Symantec certs issued before June 2016.

Other credentials issued before Digicert bought Symantec‘s TLS cert business would be distrusted with Chrome 70, which is due to go into beta next month and stable official release in October.

That‘s what I was seeing to my surprise, because there‘s been such a long lead time to fix the problem.

Surely by now everyone with a Symantec certificate would be aware that if they didn‘t replace them with fresh credentials, Chrome would slam the door shut on their sites?
Tony Krzyzewski, director of SAM for Compliance, which helps organisations with these sort of things, agreed.

“The issue relating to certain Symantec certificates having a lower level of trust has been well publicised and it is my opinion that organisations using these certificates should have had an action plan in place to remove dependence upon these certificates irrespective of Google‘s intent to block access to sites via the use of the Chrome browser,” Krzyzewski told me.

ANZ fixed the cert problem a few days after I encountered it but the Companies Office still won‘t let me in with Chrome build 70. A spokesperson for the Ministry of Business, Innovation, and Employment (MBIE) put it down to the Companies Office site being complex with multiple test environments and any changes have to follow a defined process.

“We have been gradually installing new certificates on those various environments and are currently planning to make the change to the production environment by 21 August, if all goes well with testing and change control,” the spokesperson said.

It‘s understandable that MBIE treads carefully here because TLS certificate management can be complicated and there‘s plenty of room for things to go wrong.

That said, if it‘s such an effort, and the issue was flagged many, many months ago, doesn‘t an August 21 cert swap cut things just a little too fine?

The work around for you and I is easy.

Just use a browser that‘s more forgiving than Chrome build 70.

If, however, your organisation is still using Symantec‘s dead certs, your IT people are in for a stressful time over the next few months when they‘re run ragged fixing a problem that should‘ve been sorted out ages ago.

Update: Digicert emailed to say that they have been, and continue too, offer free replacement certificates trusted by Chrome that last through the lifetime of the original credential. The Certificate Authority says it has ed credentials holders “through multiple means of communication” so really, the issue should‘ve been sorted out months ago.