By: +David Herron; Date: December 28, 2017
Tags: HTTP Security
The issue is not solely affecting amazon-adsystem.com SSL certificates. It is affecting every service that's using Symantec-issued SSL certificates. In my case I see two affected sites, the aforementioned Amazon Advertising system, and the Adthis service.
The SSL certificate used to load resources from https://s7.addthis.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information. The SSL certificate used to load resources from https://images-na.ssl-images-amazon.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information. The SSL certificate used to load resources from https://aax-us-east.amazon-adsystem.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information.
In this case, the content is being loaded via HTTPS, but the browser makers have decided to repudiate the particular certificate provider. (Symantec) Webmasters are being given a year or so to fix up their act, and to switch away from the affected Symantec-issued SSL certificates.
We can do that fairly easily for assets loaded from our own server(s). But in this case the assets are loaded from 3rd party services, and we cannot control what those services do.
The messages include a Short URL, which redirects to: https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html
That page gives a full explanation of what's going on and why the action is being taken.
What's more important is the timeline of actions:
- October 24, 2017, Chrome began printing the above warnings in the developers console.
- December 1, 2017, Symantec was supposed to do something useful
- March 15, 2018 - Chrome 66 goes to Beta, which will remove trust in Symantec-issued certificates with a not-before date prior to June 1, 2016.
- April 17, 2018 - Chrome 66 goes to Stable
- September 13, 2018 - Chrome 70 released to Beta, which will remove trust in the old Symantec-rooted Infrastructure.
- October 23, 2018 - Chrome 70 goes to Stable
In other words - in April 2018, Chrome will start displaying security warnings based on these repudiated Symantec-issued certificates. Then in October 2018 another step will be taken, that will prevent loading assets from affected URL's. Both of these steps can affect readers of our websites.
What can we do? We don't own these 3rd party services. One hopes that those services are being run by folks who are aware of the issues, and who will issue a fix before April 17, 2018 (the first date at which users will be affected).
If those services drop the ball it will be necessary to find alternate services. In the example above - instead of using Addthis, switch to Sharethis (or some other similar service). Or switch to Google Adsense advertising if Amazon hasn't fixed their advertising system by then.