Experts commented this morning on Mozilla’s decision to delay distrusting Symantec certs in Firefox. The rationale being that “well over 1% of the top 1-million websites are still using a Symantec certificate that will be distrusted.”
Mark Miller, Director of Enterprise Security Support at Venafi:
“Distrusting the lion’s share of the certificates on the internet can be painful. And it’s especially painful for organizations that don’t have an automated way to replace their certificates. In fact, many organizations don’t even have a complete inventory of their machine identities.
However, by delaying our distrust deadlines we’re leaving the window open for more data to fly out. As security professionals, we need to be able to draw a line and stand behind it with confidence, but to do this organizations will need to prioritize their ability to respond to these kinds of events.”
Scott Helme, security researcher (https://www.linkedin.com/in/scotthelme/):
“It’s a shame to see Mozilla stepping back the deadline on this action, after all, there was a very good reason the decision was made in the first place! For any change we see like this on the internet, the recent deprecation of SHA1 and migration to SHA256 is a great example, there are always sites that for some reason do not migrate in time. I think with enough notice and outreach, as has been the case with the Symantec distrust, the change should be rolled out as planned.
I don’t think moving back the deadline will impact consequences for any CA that may act in a similar way in the future. Symantec will still be removed and the additional allowance won’t have any impact on the consequences for them as a CA.”