Google Chrome now only support HTTPS connections. However, some websites are still marked with a warning message despite their HTTPS certification – websites that use outdated certificates issued by Symantec. According to Google, Symantec has repeatedly issued incorrect certificates to thousands of domains, proving itself to be unsafe and unreliable on a number of occasions.
Google responded to these discrepancies by gradually distrusting Symantec issued certificates, concluding with Chrome 66. Since April 17th, 2018, websites that have TLS certificates that were issued by Symantec before June 6th, 2016, have been marked with a warning message stating that data on the website could be intercepted by third parties. Chrome 68 now displays a clear “Not Safe” warning. When the scheduled update from Chrome 68 to Chrome 70 takes place on October 23rd, 2018, this warning will become even more obvious for all Symantec certificates issued before December 1st, 2017. The “Not Secure” note will be displayed in red and highlighted as soon as users try to enter their data on an insecure website.
The number of domains that will be affected by this change was discovered by an Airbnb security technician working on their own initiative. 11,510 domains, or almost 10% of the most visited websites according to an Alexa ranking, will be marked as unsafe. The reason this number is so high is that Chrome 70 not only distrusts outdated certificates issued directly by Symantec, they will also blacklist certificates whose trust chain is based on their certifcates (including GeoTrust, RapidSSL and Thawte). All Symantec certificate users are therefore advised to check the date of issue and get their certificate replaced free of charge if necessary.