Symantec SSL cert's risk & remediation

Q1:
Is the following a valid risk & any CVSS rating assigned to it?:
Symantec SSL certificates are rated by Google & Mozilla as risky & recommends to deprecate them prematurely even before its expiry; URL:
https://blog.qualys.com/ssllabs/2017/09/26/google-and-mozilla-deprecating-existing-symantec-certificates

Q2:
Which other vendors' SSL certs would you recommend to replace Symantec's?

Q3:
if we don't replace, what are the mitigating controls we can put in place?

Can it wait till Oct 2018 to remediate?
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Q1. No CVEs per se but there are deficiency in the audit findings of the CA issuance processes and oversight. This leads to distrust and lacking validation on integrity of the certificates. If you cannot trust a CA doings, how can you trust its products. Will you take the risk even to start off if you know they have assumed trust but they misplaced it.

https://wiki.mozilla.org/CA:Symantec_Issues

2. DigiCert. In fact, I still see Symantec can be trusted as once bitten twice shy. They are hit badly and would have build in rigor to correct the findings and better it.

The events that prompted Google to propose these changes have been addressed with the utmost transparency. We are working hard to ensure that this proposal does not create disruption for you.
Since then yet to hear another such case.

3. If your certificate was issued by one of these companies before June 16, 2016, then you need to replace it before March 2018. For directions on updating and replacing, contact your certificate provider. Without a trusted certificate may jeopardise your system. You probably can take a risk measured approach to prioritise for those online system using the affected certificates and internal closed system can ne done in later stage and go for an internal CA instead. Plan well and not go big bang. The security monitoring and regime of testing and patches must be diligently done, do not lapse it. Know your footprints.

https://www.riskiq.com/blog/external-threat-management/symantec-issued-ssl-certificates/
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ArneLoviusCommented:
The reason that Symantec are marked as risky is that they issued certificates that they should not have done.

There is no difference with the security of any certificate, which is why for any certificates that do not require a EV "green label", I mostly use letsencrypt.

For certificates that require an EV "green label", Digicert, Godaddy, or Thawte, but probably not Comodo

I would recommend that any Symantec certificates were replaced with alternatives ASAP.
2
kevinhsiehCommented:
A3. There are no mitigation controls other than replacing the certificate.

A1. The issue is that your users/customers may not trust you as the certificate was signed by an untrustworthy source.

A2. I wouldn't use letsencrypt, as that is a free certificate which has been abused by scammers. Paying some amount of money for a certificate helps distinguish you from a malicious actor that is less willing to pay any money. Digicert is highly reputable and not very expensive.
1
ArneLoviusCommented:
@kevinhsieh I don;t follow what you are saying about letsencrypt, >99.99% of browser users do not check who issued the certificate, justthat there _is_ a certificate, I certainly don't follow what you mean by "scammers".
0
btanExec ConsultantCommented:
For author advice
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.