Google have just announced (in a quite undramatic forum discussion) that they're going to deprecate and eventually remove support for all Symantec issued SSL certificates from the Google Chrome web browser.
What does this mean?
All SSL certificates get issued by the various providers. These certificates are signed by one or more intermediate certificates, and then these intermediate certificates are signed by what are known as root certificates. Browsers keep a copy of all trusted root certificates, and any certificate signed by a root certificate will be trusted by the browser.
One of the important parts of the SSL ecosystem is that of trust. The browser maker needs to trust the certificate issuer to do the right thing, and the certificate issuer needs to be able to trust that the person or company they're issuing a certificate to are actually who they say they are.
Google are bringing in these changes as they no longer trust Symantec are doing a good enough job at validating and verifying that the certificates being requested are actually going to the correct person. Google have had previous complaints with Symantec yet these issues appear to be ongoing.
Their latest investigation started in Janurary with about 100 certificates, but eventually they found problems with "at least 30,000 certificates, issued over a period spanning several years."
Who is affected?
With upwards of 50% market share, a change like this in Google Chrome could have a devastating effect on the use of these certificates. The removal of these certs isn't all happening at once though; Google will slowly roll-out their distrust of the root certificates over a period of months.
Google's plan is to roll-out maximum validity periods in their releases, slowly decreasing the maximum age of certificates which will be validated. This will force all issued certificates to be re-issued.
This means that developers like us may need to re-issue many certificates. This takes time, and in many cases new certificates will need to be purchased, costing the client as well.
Which certificates are affected?
This will affect all Symantec certificates, including the various subsidiaries of the company. There are some exclusions in place where the CA is "independently operated, whose keys are not in control of Symantec, and which are maintaining a current and appropriate audit".
This still leaves a huge list of 58 root certificates, including from Equifax, VeriSign, TrustCenter, Symantec, GeoTrust, Thawte, and also a few minor or single-company certificates. These roots together are estimated to make up about 25% of all currently-issued SSL certificates.
There has been no word as of yet whether other browser makers are going to follow suit.