Chrome bug triggered errors on websites using Symantec SSL certificates
Security

Chrome bug triggered errors on websites using Symantec SSL certificates

If you've encountered errors over the past month when trying to access HTTPS-enabled websites on your computer or Android phone, it might have been due to a bug in Chrome.

The bug affected the validation for some SSL certificates issued by Symantec, one of the world's largest certificate authorities, as well as by GeoTrust and Thawte, two CAs that Symantec also controls.

The bug was introduced in Chrome version 53, but also affected the Android WebView component that Android apps use to display Web content, said Rick Andrews, senior technical director at Symantec in a blog post Friday.

To fix this problem on Android, end users should upgrade to the most recent version of WebView and to the upcoming Chrome version 55, he said. "Developers using Android Open Source Platform (AOSP) will need to review their own apps to ensure compatibility."

Even though it's a system component, starting with Android 5.0 (Lollipop), the WebView is delivered as an application package that's upgradeable through the Google Play store.

Version 55 of the Android System WebView was released on Dec. 1, but Chrome for Android is still at version 54, which was released in late October.

Google made changes in version 54 of Chrome on Windows, Mac, Linux and iOS, as well as to Chromium and the Chrome Custom Tabs so that Symantec certificates no longer trigger trust errors. However, the issue is fully patched for all platforms in Chrome version 55, Andrews said.

The bottom line is that to be on the safe side you should upgrade all your Chrome-based software to version 55 as soon as it becomes available for your platform. For many platforms, this version was released on Dec. 1.

The problem actually originated with Google's decision to force Symantec to publish all the certificates issued by the company's CAs after June 1st to a public Certificate Transparency (CT) log.

This decision was taken after an internal Symantec investigation into the unauthorized issuing of an extended validation (EV) certificate for google.com last year missed over 150 other certificates issued without approval from domain owners. Symantec said at the time that the certificates had been issued for testing purposes and never actually left the company.

Since CAs depend on browser vendors to trust their root certificates inside their products, companies like Google, Mozilla, Microsoft and Apple can hold them to account when they violate certificate issuing rules. Following the Symantec incident, Google implemented a mechanism in Chrome version 53 to only trust certificates issued by the company after Jun. 1, 2016, that comply with the Certificate Transparency policy.

However, another mechanism in the browser sets a 10-week limit for trusting CT data, to avoid such information becoming stale. When this was combined with the CT-compliance check enforced for Symantec certificates it triggered unintended trust failures even for compliant certificates.

IDG Insider

PREVIOUS ARTICLE

«Chrome 55 pushes Flash into the background

NEXT ARTICLE

Lenovo promises 12 new Moto Mod add-ons per year»
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

Add Your Comment

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Should companies have Bitcoins on hand in preparation for a Ransomware attack?