Chrome bug triggered errors on websites using Symantec SSL certificates

The bug affected Chrome on all platforms, as well as the WebView component on Android

If you've encountered errors over the past month when trying to access HTTPS-enabled websites on your computer or Android phone, it might have been due to a bug in Chrome.

The bug affected the validation for some SSL certificates issued by Symantec, one of the world's largest certificate authorities, as well as by GeoTrust and Thawte, two CAs that Symantec also controls.

The bug was introduced in Chrome version 53, but also affected the Android WebView component that Android apps use to display Web content, said Rick Andrews, senior technical director at Symantec in a blog post Friday.

To fix this problem on Android, end users should upgrade to the most recent version of WebView and to the upcoming Chrome version 55, he said. "Developers using Android Open Source Platform (AOSP) will need to review their own apps to ensure compatibility."

Even though it's a system component, starting with Android 5.0 (Lollipop), the WebView is delivered as an application package that's upgradeable through the Google Play store.

Version 55 of the Android System WebView was released on Dec. 1, but Chrome for Android is still at version 54, which was released in late October.

Google made changes in version 54 of Chrome on Windows, Mac, Linux and iOS, as well as to Chromium and the Chrome Custom Tabs so that Symantec certificates no longer trigger trust errors. However, the issue is fully patched for all platforms in Chrome version 55, Andrews said.

The bottom line is that to be on the safe side you should upgrade all your Chrome-based software to version 55 as soon as it becomes available for your platform. For many platforms, this version was released on Dec. 1.

The problem actually originated with Google's decision to force Symantec to publish all the certificates issued by the company's CAs after June 1st to a public Certificate Transparency (CT) log.

This decision was taken after an internal Symantec investigation into the unauthorized issuing of an extended validation (EV) certificate for google.com last year missed over 150 other certificates issued without approval from domain owners. Symantec said at the time that the certificates had been issued for testing purposes and never actually left the company.

Since CAs depend on browser vendors to trust their root certificates inside their products, companies like Google, Mozilla, Microsoft and Apple can hold them to account when they violate certificate issuing rules. Following the Symantec incident, Google implemented a mechanism in Chrome version 53 to only trust certificates issued by the company after Jun. 1, 2016, that comply with the Certificate Transparency policy.

However, another mechanism in the browser sets a 10-week limit for trusting CT data, to avoid such information becoming stale. When this was combined with the CT-compliance check enforced for Symantec certificates it triggered unintended trust failures even for compliant certificates.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags internet

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?