Chrome bug triggered errors on websites using Symantec SSL certificates

The bug affected Chrome on all platforms, as well as the WebView component on Android

If you've encountered errors over the past month when trying to access HTTPS-enabled websites on your computer or Android phone, it might have been due to a bug in Chrome.

The bug affected the validation for some SSL certificates issued by Symantec, one of the world's largest certificate authorities, as well as by GeoTrust and Thawte, two CAs that Symantec also controls.

The bug was introduced in Chrome version 53, but also affected the Android WebView component that Android apps use to display Web content, said Rick Andrews, senior technical director at Symantec in a blog post Friday.

To fix this problem on Android, end users should upgrade to the most recent version of WebView and to the upcoming Chrome version 55, he said. "Developers using Android Open Source Platform (AOSP) will need to review their own apps to ensure compatibility."

Even though it's a system component, starting with Android 5.0 (Lollipop), the WebView is delivered as an application package that's upgradeable through the Google Play store.

Version 55 of the Android System WebView was released on Dec. 1, but Chrome for Android is still at version 54, which was released in late October.

Google made changes in version 54 of Chrome on Windows, Mac, Linux and iOS, as well as to Chromium and the Chrome Custom Tabs so that Symantec certificates no longer trigger trust errors. However, the issue is fully patched for all platforms in Chrome version 55, Andrews said.

The bottom line is that to be on the safe side you should upgrade all your Chrome-based software to version 55 as soon as it becomes available for your platform. For many platforms, this version was released on Dec. 1.

The problem actually originated with Google's decision to force Symantec to publish all the certificates issued by the company's CAs after June 1st to a public Certificate Transparency (CT) log.

This decision was taken after an internal Symantec investigation into the unauthorized issuing of an extended validation (EV) certificate for google.com last year missed over 150 other certificates issued without approval from domain owners. Symantec said at the time that the certificates had been issued for testing purposes and never actually left the company.

Since CAs depend on browser vendors to trust their root certificates inside their products, companies like Google, Mozilla, Microsoft and Apple can hold them to account when they violate certificate issuing rules. Following the Symantec incident, Google implemented a mechanism in Chrome version 53 to only trust certificates issued by the company after Jun. 1, 2016, that comply with the Certificate Transparency policy.

However, another mechanism in the browser sets a 10-week limit for trusting CT data, to avoid such information becoming stale. When this was combined with the CT-compliance check enforced for Symantec certificates it triggered unintended trust failures even for compliant certificates.

Tags internet

Show Comments