July 14, 2020

Symantec Lands on the Never Trust List

Symantec has mis-issued at least 30,000 certificates over the past few years. This is a huge deal, since a Certificate Authority’s ONLY job is to be TRUSTED.  If you can’t trust them, then they have no purpose to exist.  Frankly Google has to be nice in the grand scheme of things.  I’m taking a more hostile approach by proactively adding them to my Never Trust list on all my machines.  I’ll describe how to do this on a Mac below, but first here is what Google is proposing:

  • Eventually, you won’t be able to get a certificate that is valid for more than 9 months (~279 days).
  • Rather than distrusting them immediately, Google is taking an incremental distrust approach.  Spanning a series of Google Chrome releases, of all currently-trusted Symantec certificates, will have to be replaced with these validity periods:
    • Chrome 59 (Dev, Beta, Stable): 33 months validity (1023 days)
    • Chrome 60 (Dev, Beta, Stable): 27 months validity (837 days)
    • Chrome 61 (Dev, Beta, Stable): 21 months validity (651 days)
    • Chrome 62 (Dev, Beta, Stable): 15 months validity (465 days)
    • Chrome 63 (Dev, Beta): 9 months validity (279 days)
    • Chrome 63 (Stable): 15 months validity (465 days)
    • Chrome 64 (Dev, Beta, Stable): 9 months validity (279 days)
  • No more Extended Validation (EV) status of Symantec certificates, for a minimum of one year.

There are potentially 30,000 certs in the wild that can be used to make you trust hostile websites.  I don’t ever want to land on one without knowing it, so this is how I added Symantec to the Never Trust list on my Macs.  If you want to see the Windows version let me know.  First you have to open your Keychain Access.  Use Spotlight search to locate it.

Click “System” under “Keychains”, if it isn’t already selected.  Scroll down to the list of Symantec certificates.  Double click to edit the settings on the first one.

With the certificate settings open, click the arrow next to “Trust”.

Open the “When using this certificate” dropdown.

Select “Never Trust”.

That should set all of the other dropdowns to “Never Trust”.

Save and exit, by clicking the red circle.

As a security precaution, you will be prompted to allow this, by entering your credentials.

Repeat the above steps for all Symantec certificates.  On my machines, there were 6 Symantec certificates .  After I looped through the above steps for all 6 certs, it looked like this…

Now ironically, if you go to symantec.com you will notice that the site is trusted by a Verisign EV certificate.  At this time, there’s no reason to distrust Verisign or their certificates, yet…