Google’s Distrust Causes Headaches for Webmasters
How often have you tried to access a website, and it took oh! so long to load — or worse — didn’t load? It could have been a strong antivirus preventing a suspicious website from loading. It could have been a browser issue. Developers have known for more than a decade that user interface (UI) can change with a change of browser. A website which worked fine on Safari or Microsoft Edge might present problems if you try loading it through Mozilla Firefox (which has always had stricter security norms) or through Google Chrome. Now webmasters have an additional headache.
Save the Date
As a webmaster, July 20, 2018 is the date you must dread given Google’s distrust of Symantec PKI. A Google blog in March warned that all websites which used any SSL/TLS certificate from Symantec issued before June 1, 2016, would face site breakage, and their site would become inaccessible to users when browsers introduce newer versions in the coming months. This warning included sites using Symantec owned brands like Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL. Specifically, it warned that users might not already be able to access such sites if they were using Chrome 66. It went on to suggest that developers verify whether there was any certificate error displayed when someone tried it access it through Chrome Canary.
The Dubious Certification
Discovery of incorrectly issued certificates from Symantec for a humongous 30,000 domains spread over several years further strengthened Google’s distrust of all Symantec generated internet security certifications. The entire problem seems to be rooted in the fact that Symantec acquired numerous perfectly good brands, and then botched their reputations too with dubious practices. In 2015, Google noted that Symantec Corporation had issued certificates for websites which weren’t even registered. The problem worsened when Google discovered in January 2017 that Symantec wasn’t validating certificates it issued.
The internet community and developers have mostly hailed Google’s move as a victory for internet security as is evident from social network site discussions, especially on Reditt. Some have even gone so far as to say that it comes a trifle late; while others have deplored the manner in which this has been executed. All agreed, however, that it has added to the workload of webmasters and developers. Symantec had long been perceived to be too big to fail, or even to be distrusted. The matter has been further complicated by the fact that Digicert, Inc. has acquired Symantec PKI and SSL/TLS businesses. It remains to be seen whether Google will block sites with a Digicert certification.
Unscramble the Alphabet Soup of Internet Security
What Is SSL/TLS? Secure Socket Layers (SSL), and Transport Layer Security (TLS) sound like double Dutch to the lay person. In reality they are vital to keep your internet browsing, and all online transactions secure. They are basically standard protocols to ensure that when anyone accesses a website, the linkage is encrypted; i.e. the keys are scrambled to keep all communication between you and the server of the website secure from third parties. It is this encryption which keeps your personal details like login details, banking details, and other sensitive data safe from prying eyes (and presumably from robbers). Since even news sites have cookies to track you, you need to be doubly cautious about visiting sites from devices which store any personal data.
SSL is the older version of TLS. Certain vulnerabilities have been addressed in TLS, while making its cipher suites and algorithms more secure, and support stronger. Whenever you see the https before any web address, you know that the website uses some SSL/TLS certification. As an internet user you should avoid any website which doesn’t have even a wild card certification. A strong antivirus and corresponding firewall will usually prevent you from accessing any such website.
DV, EV, and OV: The alphabet soup of internet security is further complicated by usage of DV, EV, and OV certificates. These are markers which certificate authorities (CAs) like Symantec issue to indicate the kind of certificate which has been given. Put simply, DV stands for domain validation. OV means organizational validation, and EV stands for extended validation. If you see DV in a domain which the general public can access, back out fast. If you need to submit any personal details at the site you’re visiting, look for the EV certificate.
What’s difference between paid and free certifications?None really, except that you are short by several dollars with the former. The paid ones claim that that there is an insurance cover, but no one seems to have ever heard of a payout in the certification industry.
How Does It Affect You as a Webmaster?
Many webmasters will recall that several websites, which had led Google rankings, crashed after Google suddenly changed its search engine policies in 2011 and 2012. You should have replaced your certificates yesterday — to be more precise — by March 15, 2018. If any of your users are using the Chrome Canary or Chrome Dev browsers, then they are probably unable to access your website already. You must ensure that your website is hack free, and that your visitors can browse securely regardless of whether they are there to gain some information, or to transact business with your organization.
How Does the Google Position Impact Websites?
The prime purpose of having an online presence is to have a global visibility. occasionally, even locals become aware of your existence and contact details by seeing it online. If your site is visible to only users of older versions of browsers, and the not-so-efficient browsers, you are doomed. The business implications are far beyond the immediate. In the internet world, out of sight is literally out of mind. Therefore, you must take immediate steps to ensure continued visibility on the net. If your website has daily business transactions on the web, even a day — or a few days — off it could quickly put the organization in the red. For US healthcare organizations, which are already hamstrung by HIPAA requirements, it could mean adding an additional layer of security to preserve visibility.
Do this: You can begin with getting a free certification from Let’s Encrypt, which is the first free certification authority. Further, it has promised Wildcard certificates come January 2019. Even if Google suddenly decides that it does not trust free certification, it will have only cost you time and effort, not hard cash. Further, you would have effectively saved your organization’s online presence, and corresponding commerce and trade.
Watch out: There are some CAs which offer a “free certification”, but which is actually just a trial period before you need to pay up. Don’t fall for these as they will present challenges further down the road.
What Does All This Mean for the End User?
It means that quite a few of your favorite websites might become inaccessible, if it hasn’t already, regardless of the browser you use. There’s nothing much the end user can do about it, except pray that the concerned webmasters act before their site crashes.