Mozilla has postponed its plans to distrust all legacy digital certificates from Symantec, spreading dismay in security circles.
The org has put off the disavowal because many well-trafficked websites have not switched – despite the execution notice going up over a year ago. Ordinary surfers will notice it once Chrome 70 lands, bringing with it warnings for Symantec-issued certs.
However, Firefox users using the latest beta release will not.
Mozilla reckoned more than 1 per cent of the top million websites are "still using a Symantec certificate that will be distrusted", prompting a decision to delay the change.
Unfortunately, because so many sites have not yet taken action, moving this change from Firefox 63 Nightly into Beta would impact a significant number of our users. It is unfortunate that so many website operators have waited to update their certificates, especially given that DigiCert is providing replacements for free.
We prioritize the safety of our users and recognise the additional risk caused by a delay in the implementation of the distrust plan. However, given the current situation, we believe that delaying the release of this change until later this year when more sites have replaced their Symantec TLS certificates is in the overall best interest of our users. This change will remain enabled in Nightly, and we plan to enable it in Firefox 64 Beta when it ships in mid-October.
El Reg covered the lack of preparation in some quarters earlier this week. The 1 per cent figure seems high – security researcher Scott Helme audited this late last month and discovered 1,139 of the top million sites were still relying on outmoded Symantec certs – but there's little doubt hundreds of sites still need to switch, something neither expensive nor time-consuming.
Respected UK cybersecurity pro Kevin Beaumont commented: "The browser makers need to pull the trigger on the original plan. It will inconvenience some users, but ultimately website operators need to take charge of this."
Helme questioned Mozilla's rationale. "Site operators are waiting until the last possible day before replacing legacy Symantec certs so we're pushing the date back to allow them more time. I'm not sure the logic holds," he said.
Following several transgressions, a community decision was made to distrust TLS certificates issued by the Symantec Certification Authority and its legacy brands over a year ago. That's still the plan even though Mozilla's move means that the most widely used browser software makers will not be in step applying it.
"I haven't seen any signals from other browsers about delaying the distrust," Helme told El Reg. ®