With the latest monthly report from StatCounter revealing that Google Chrome accounts for over half the internet browser usage share across the globe, with a clear 40% lead over its nearest competitor, there can be no doubt that the browsing behemoth holds most of the cards when it comes to online activity.
In most cases this is a good thing for customers and businesses alike, as it gives a sense of standardisation to users, and allows companies and organisations to optimise their own online presences to meet the requirements of the biggest dog in the fight, as it were.
However, there are times when such market dominance can cause problems, as we could well see when Chrome’s release a new version in a couple of months time. Indeed, some people have predicted that websites numbered in the tens of thousands could find that they have been labelled ‘unsafe’ by Google’s proprietary internet browser through no fault of their own. Unless, that is, they replace their current HTTPS certificate before the new build goes live.
SSL/TLS certificates are no longer trusted by Google
The root of the problem comes from a decision made by Google way back in September of last year that they would no longer trust the SSL/TLS certificates issued by cybersecurity giants Symantec. Specifically, any websites that utilise a Symantec certificate that was issued after 01 December 2017, or prior to 01 June 2016, will trigger a warning to any visitors using Google Chrome as their browser that they do not have a private connection, and that somebody may well be attempting to steal their data.
While the browser will not prevent access to such sites, users will be required to click on the warning in order to access the website beneath. Whilst hardly an arduous task for users to complete, with online security uppermost in people’s minds at the moment, the warning is enough to deter many potential customers from proceeding further.
This change forms part of Chrome’s build 66, released on 17 April 2018, and a later build in October (build 70) will include all Symantec-issued certificates on its list of untrustworthy websites.
So, is this really a crisis, or is it just online scaremongering? Just how much will this disregard of Symantec certificates affect day-to-day browsing?
It’s a fair question and one that has been answered, at least in part, by Arkadiy Tetelman. Mr Tetelman, a security engineer working at Airbnb, took the certification data of the million largest websites (as far as traffic is concerned) and ran it through a script that duplicates Chrome’s new protocols.
After eleven hours of runtime, the results were in: the visitors to 11,510 of the biggest websites in the world will be shown a message saying that the site cannot be trusted from April onwards. If that’s not enough, once the full shutdown takes place in October, that figure leaps to 91,627. These are from the top million websites – mostly global companies, with teams of dedicated IT staff, and they are not immune from the new protocol. It can be reasonably assumed that, if the list were expanded to include smaller enterprises, we could conceivably see a larger proportion of sites failing to pass Google’s new security measures.
Reissuing Symantec-issued SSL/TSL certificates with catalyst2
How does this affect you, if you’re a customer of catalyst2? Well… it doesn’t. With our clients’ wellbeing ever at the forefront of our business, we will be reissuing all impacted SSLs before the new build comes into play, so your site will not suffer from this change in Google policy.