Chrome 66 is coming, and it is part angel, part devil.
On the personal/privacy side, Chrome’s latest release will enable an in-demand feature like preventing video autoplay. But for marketers, aside from the video autoplay, there could be some very serious consequences. Given that Chrome is the dominant browser at ~60% of the market share, the Chrome 66 update could be catastrophic to your web traffic.
To veer off of our usual path on this blog, I wanted to raise the visibility of a technical issue that has the potential to severely impact our marketing operations.
Google’s Chrome products, including the Chrome browser and Chrome OS, have been calling out vulnerabilities in Symantec’s security certificate infrastructure for a number of months now. In July 2017, a post on the Google Security pointed the finger squarely at Symantec:
Symantec’s PKI business, which operates a series of Certificate Authorities under various brand names, including Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL, had issued numerous certificates that did not comply with the industry-developed CA/Browser Forum Baseline Requirements.
Based on Symantec’s own blog post, their position seems to be that they’re too big to fail:
As the largest issuer of EV and OV certificates in the industry according to Netcraft, Symantec handles significantly larger volumes of validation workloads across more geographies than most other CA’s. To our knowledge, no other single CA operates at the scale nor offers the broad set of capabilities that Symantec offers today.
Normally, this type of security turf war doesn’t make it onto the radar, but this one is set to send out some pretty significant ripples. Let’s not forget the size of the combatants: Google is the largest provider of web browsing, and Symantec is the largest issuer of wildcard SSL certificates, so any actions by either one will catch the majority of us in the middle.
Google Chrome 66 is going to depreciate any Symantec SSL certificate issued before June 1, 2016.
Chrome 66, was made available to the Chrome Beta channel on March 15, 2018 and will be released to Chrome Stable users around April 17, 2018.
The net result – two potentially devastating consequences for your marketing efforts
The first impact is to your website and landing page delivery. If your public-facing marketing infrastructure is covered by an older Symantec SSL certificate, your visitors will be blocked from your site and will receive the following message.
Ok, so that’s bad enough, but the issue goes much deeper.
Secondly, and much more insidiously, you could see a loss of functionality that affects your customer experience if you are using any web services or webhooks that are also secured by a Symantec certificate. This means that if you have dynamic updates or direct integrations from your website that enhance the customer experience, these updates and integrations may fail or use their fallback mode.
What can you do?
As a marketer, the first thing you need to do is check your systems:
- Begin with all your websites and landing page domains. You can use Symantec’s checker tool to see if any of your public assets are affected.
- Ask your web developers to check any web services that you consume. Ask them to check all the domains/URLs that use AJAX/XMLHttpRequest(XHR)
- If applicable, check your CMS’s plugins for SSL information and test their links.
- Check with your martech stack vendors. Most martech providers have plans in place for this update already, but it’s a best practice to have them confirm their plans with you. Here is Marketo’s response
To find some of these errors, a simple option is to use Chrome’s console debugger and examine the console for the following security message:
The SSL certificate used to load resources from https://example.test has been distrusted. See https://g.co/chrome/symantecpkicerts for more information.
example.test/soap/pluginapi:1 Failed to load resource: net::ERR_CERT_SYMANTEC_LEGACY
If you find any non-compliant SSL certificates, there’s no need to panic. You have about a month remaining to perform the updates. Work with your folks in IT, DevOps, and network operations to procure and deploy new SSL certificates. Updating the certificate itself is a two-minute task, but making sure you have covered all your bases is going to take some effort. Fortunately, both Let’s Encrypt and Comodo have offered to issue free SSL certificates for the duration of old Symantec certs to help with the transition.
At the end of the day, good marketing is as much about the mundane as it is about the flashy creative campaign you just launched. Fixing this SSL certification issue may not be the sexiest task, but it is critical to ensuring a great customer experience and protecting your brand reputation.
Remember, this is all about delivering the best experience as marketers that we can. Customers don’t often give second chances if they have a bad experience the first time. They expect perfection, regardless of what maintenance it requires from us.