With “well over” 1% of the world’s top one million websites still using a Symantec certificate, Mozilla has suspended plans to distrust the TLS certificates issued by the Symantec Certification Authority, which is now a part of DigiCert.
According to a statement by Mozilla’s certification authority program manager Wayne Thayer, so many websites continue to use these certificates that moving from Firefox 63 Nightly into Beta “would impact a significant number of our users.”
Thayer said that “it is unfortunate that so many website operators have waited to update their certificates, especially given that DigiCert is providing replacements for free.”
He added: “We prioritize the safety of our users and recognize the additional risk caused by a delay in the implementation of the distrust plan. However, given the current situation, we believe that delaying the release of this change until later this year when more sites have replaced their Symantec TLS certificates is in the overall best interest of our users. This change will remain enabled in Nightly, and we plan to enable it in Firefox 64 Beta when it ships in mid-October.
“We continue to strongly encourage website operators to replace Symantec TLS certificates immediately. Doing so improves the security of their websites and allows the 10’s of thousands of Firefox Nightly users to access them.”
In a previous update in July, Thayer that 3.5% of the top one million websites were still using Symantec certificates that were due to be distrusted in September and October. Firefox 60 displayed an “untrusted connection” error for any website using a TLS/SSL certificate issued before June 1 2016 that chains up to a Symantec root certificate as part of the consensus proposal for removing trust in Symantec TLS certificates that Mozilla adopted in 2017.
“This proposal was also adopted by the Google Chrome team, and more recently Apple announced their plan to distrust Symantec TLS certificates,” he said.