Google will begin to distrust Symantec-issued certificates in Chrome that were issued prior to June 1, 2016. The move will go into effect in early 2018. And apparently companies are not ready.
Certificates are the foundation for a secure web-browsing and searching experience, and browser vendors like Google need to trust the certificate to authorize access to the web page. Not trusting the certificate could stop consumers from reaching their target destination -- for example, a page on Amazon.com or Nordstrom.com.
Chrome will distrust certificates as of Version 66 -- which is scheduled for release to Chrome Beta users on March 1, 2018 and to others on April 17, 2018 -- and for Chrome OS, on April 14.
Shanti Shunn, digital marketing strategist at Vizion Interactive, examined the dilemma and identified a variety of issues.
"We have now seen local BBB badges and global Paypal badges getting flagged," he wrote in a post. "We have seen a ton of third-party tracking tags getting flagged, everything from Casale Media tags to Adroll and others. Even AddThis, the popular social sharing widget/plugin for WordPress is getting flagged."
Shunn explains that fixes will rely on third parties and prioritizing updating all security certificates as soon as possible.
In an email to Search Marketing Daily, Shunn wrote that Symantec certificates are a security risk -- as deemed by Google, but also acknowledged by others -- and Google wants a “secure-web” for their users, especially given the large increase in mobile usage and their impending switch to “mobile-first” driven algorithms."
He said it will affect advertisers in three ways. First, it will potentially means pages may trigger warning for the user regarding the trustworthiness of entering any information and will remove the browser displaying that the site is actually secure.
Second, it will potentially affect paid-search programs, as Google may become more aggressive about shutting down, disapproving ads that go to a landing page on sites with this issue.
And third, HTTPS is a considered search engine optimization (SEO), and site quality trust factor not only for search engines, but also for users. "This essentially puts you in a predicament where your site does to meet best practices and could see ranking decreases and traffic and conversion impacts," he wrote.
Apparently not all companies are aware of this change, although Google detailed the issue in a security blog back in September 2017. Shunn writes that Amazon's primary certificate is from Symantec.
"For them, it will be less painful because of this," he writes. "For most of the rest of us, well, it won’t be that easy as we will have to depend on others to make the updates timely."
In the blog, Google states that site operators with a certificate issued by a Symantec CA prior to June 1, 2016, will need to replace the existing certificate with a new certificate from any Certificate Authority trusted by Chrome.
Then in September or October, Google will release Chrome 70, which will fully remove trust in Symantec’s old infrastructure and all of the certificates it issued. This will affect any certificate chaining to Symantec, except for the small number issued by the independently operated and audited subordinate CAs previously disclosed to Google.