Google Chrome’s Plan to Distrust Symantec Certificates

In a web-enabled world, we always seem to be moving faster, working harder, and getting more done.  This is because technology has allowed us to communicate faster, respond to things faster, find answers more quickly, screw up faster and then identify and fix those screw ups more quickly.  If you work with anyone over 60, ask them about the golden years when you would write a memo and it would take days to get delivered.  A meeting was something worked out by secretaries and an impromptu meeting could only happen if everyone happened to be in the office at the time, and even then, it took someone physically running around to find everyone who should attend the meeting, not just a barrage of emails and digital meeting invites appearing on your phone.  No “calling it in” while you’re returning from your coffee run or dropping the kids off at school.  This is exactly what our technologies allow for.  And, that means that when something comes up that we need to address around our websites, we can typically at least “get the wheels turning” quickly.  Get ready to use that technology to get your website(s) ready for 2018, thanks to Google and the stack of changes expected to become harder rules.

Securing Your Website(s)

So, hopefully you moved your website to HTTPS to avoid issues from Google in Organic search results. If you haven’t, get on that and make sure you properly map and test all redirects ASAP or “suffer the consequences” of being behind the 8-ball.  Google wants to make the web more secure for users (Google loves happy users as it means more queries/market share and more $$$), especially in the continuing age of security threats, hacker supportive governments (looking at you Russia) and all the Malware and Spyware injectors out there, not to mention bad and/or black-hat SEOs.  So, for the sake of moving on, let’s say you know this AND did already move your site to HTTPS.

Mobile-First Indexation

Now that you moved your website(s) to HTTPS, you are hopefully finally able to focus on making sure your mobile website is ready for the impending Google switch to a true “mobile-first” methodology by reviewing all your rendering for the smaller screen size.  Maybe you, your design team, your IT team and your SEO team have already been evaluating all the various pages, looking at what has been relegated to ‘off-canvas’ at that display size so that you can figure out how to reincorporate it visually.  Remember all those things you did (or didn’t do) to determine how to visually optimize your mobile site?  You know, hiding page content that seemed superfluous since it was indexed on the Desktop, those extra contact options that seemed redundant on the smaller screen, or those extra menu options that didn’t fit well into your hamburger style mobile menu because they were at the 3rd tier or below and that many narrowing sub-menus just seemed like an annoyance…yeah, all those things.  Well, now you’re ready to undo all of that, employ new technologies and even potentially rewrite your entire taxonomy to make the menus more concise.  Congrats, you are on track for this…wait, what is this about Google and Symantec certificates (ß read this ASAP)…um…hang on team, gotta put this on pause as we…oh, ugh…*bangs head on desk*

Chrome’s Plan to Distrust Symantec Certificates

Now this feels like the crazy “Google dances” that became so famous so many years ago.  Google makes changes, sometimes very publicly called out on marketing blogs and other more obscure things that “those in the know” seem to be aware of (how many of you religiously read the Google Security blog?).  This is one of ‘those’ things.  Yet another thing to deal with and this one means a lot more dependence on 3rd parties knowing and addressing this.  Well, let’s shift the “mobile-first” project to the slow lane and deal with this impending disaster that could undo any and all work we have done.

NOTE:  If you don’t/didn’t know about this, don’t feel bad; apparently Amazon.com does not either and their primary certificate is from Symantec as shown in the blue box in the screenshot below (I bet Google does not penalize them though):

Lucky for Amazon, they are a huge company who uses their own web services for everything (because they can), so all it takes for them to fix this is a global update for all certificates they use away from the old, now untrusted Symantec certificates.  For them, it will be less painful because of this.  For most of the rest of us, well, it won’t be that easy as we will have to depend on others to make the updates timely.

In digging into this over the past week or so, we have been able to identify a variety of issues that are getting flagged for this.  We have now seen local BBB badges and global Paypal badges getting flagged.  We have seen a TON of 3rd party tracking tags getting flagged, everything from Casale Media tags to Adroll and others.  Even AddThis, the popular social sharing widget/plugin for WordPress is getting flagged.

This is where the problem comes in and the feeling of despair as we begin to realize that, a lot of the fixes for this are going to be tied to 3rd parties like these finding out about AND prioritizing updating all of their security certificates ASAP.

What We Have Recommended to Our Clients

First off, we have recommended every client check every page type template that they have using the Chrome Developer Tools to see what is getting flagged on their website(s).  Once this is done and the list handed off to the marketing team, then having them reach out to their contacts while also filing IT support tickets with these 3rd parties to increase awareness.  If enough people push the awareness and put pressure to get the *very* common resources that are being flagged, then that increases the chance for all of us to get through this less scathed.

So, if you find yourself with any connection to the success of the business you work for, share this.  Let’s make sure this does not slip through the cracks, after all, we are not all Amazon where Google is going to simply “make a temporary exception” for this.  Unlike the large web presences like Amazon, we will all feel the penalties and effects of this.

To this end, please, please share this or the Google article from the Security blog linked above.  That way, we can all get back to simpler things like the complete evaluation and redesign of our mobile sites and the focus on mobile site speed so we’re ready for the “mobile-first” Google revolution.