Symantec to Revoke SSL Certificates Starting Oct. 1

The CA/B Forum and NIST have mandated that all CAs stop issuing 1024-bit certificates and revoke any certificates with key lengths below 2048-bit after the last day of 2013
The CA/B Forum and NIST have mandated that all CAs stop issuing 1024-bit certificates and revoke any certificates with key lengths below 2048-bit after the last day of 2013

As computer power increases, anything less than 2048-bit certificates are at risk of being compromised by hackers with readily-available processing capabilities, according to the Certification Authority/Browser (CA/B) Forum and the US National Institute of Standards and Technology (NIST). The two have mandated that all CAs stop issuing 1024-bit certificates and revoke any certificates with key lengths below 2048-bit after the end-of-the-year deadline.

However, “Symantec will revoke some certificates with encryption below 2048-bit as early as Oct. 1, 2013, to help its customers avoid potential disruptions to their sites during holiday internal site lockdown periods,” wrote Symantec’s Tom Powledge in a blog. “If you have any SSL certificates with less than 2048-bit keys, now is the time to upgrade.”

If users do not act before their certificate is revoked, whether it be Oct. 1 by Symantec or Dec. 31 by CA/B Forum and NIST, it could lead to any number of less-than-ideal situations, he added. Those include browsers blocking visitors from a company website, customers receiving security warnings before visiting, transactions left unprotected and susceptible to fraud, and Trust Seals disappearing from websites.

“All of these deter site visitors from completing transactions and trusting your site,” Powledge said. “Potential non-financial ramifications also include damage to your brand or customer attrition and decreased lifetime value because customers feel they didn’t receive sufficient notifications – all of which could lead to loss of business to a competitor.”

Symantec customers with SSL certificates below 2048-bit that expire before Dec. 31, 2013, must renew those certificates with 2048-bit certificate signing requests (CSRs). Certificates that expire before the end of the year will not be automatically revoked on Oct. 1.

Customers with certificates below 2048-bit that expire after Dec. 31, 2013, must revoke and replace those certificates with 2048-bit CSRs, or the certificate will be automatically revoked as soon as Oct. 1.

Customers with SSL certificates containing 2048-bit keys (or higher) will not be impacted.

“Threats to data security are not only growing but evolving,” Powledge said. “Therefore, it’s imperative that we evolve and upgrade our security features as well to stay ahead of these threats, meet new mandates and maintain the security and trust that people expect. As the trusted and established leader among CAs, Symantec emphatically believes that advancing and adhering to CA/B Forum and other security best practices is in the best interest of our customers, our customers’ customers, and trust on the internet.”

What’s Hot on Infosecurity Magazine?