Chrome 66 is coming, and it is part angel, part devil. On the personal/privacy side, Chrome's latest release will enable an in-demand feature like preventing video autoplay. But for marketers, aside from the video autoplay, there could be some very serious consequences. Given that Chrome is the dominant browser at ~60% of the market share, the Chrome 66 update could be catastrophic to your web traffic.
To veer off of our usual Marketo focus on this blog, I wanted to raise the visibility of a technical issue that has the potential to severely impact our marketing operations.
Google’s Chrome products, including the Chrome browser and Chrome OS, have been calling out vulnerabilities in Symantec’s security certificate infrastructure for a number of months now. In July 2017, a post on the Google Security pointed the finger squarely at Symantec:
Symantec’s PKI business, which operates a series of Certificate Authorities under various brand names, including Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL, had issued numerous certificates that did not comply with the industry-developed CA/Browser Forum Baseline Requirements.
Based on Symantec’s own blog post, their position seems to be that they’re too big to fail:
As the largest issuer of EV and OV certificates in the industry according to Netcraft, Symantec handles significantly larger volumes of validation workloads across more geographies than most other CA’s. To our knowledge, no other single CA operates at the scale nor offers the broad set of capabilities that Symantec offers today.
Normally, this type of security turf war doesn’t make it onto the radar, but this one is set to send out some pretty significant ripples. Let's not forget the size of the combatants: Google is the largest provider of web browsing, and Symantec is the largest issuer of wildcard SSL certificates, so any actions by either one will catch the majority of us in the middle.
Google Chrome 66 is going to depreciate any Symantec SSL certificate issued before January 1, 2016.
Chrome 66, was made available to the Chrome Beta channel on March 15, 2018 and will be released to Chrome Stable users around April 17, 2018.
The net result - two potentially devastating consequences for your marketing efforts.
The first impact is to your website and landing page delivery. If your public-facing marketing infrastructure is covered by an older Symantec SSL certificate, your visitors will be blocked from your site and will receive the following message.
Ok, so that’s bad enough, but the issue goes much deeper.
Secondly, and much more insidiously, you could see a loss of functionality that affects your customer experience if you are using any web services or webhooks that are also secured by a Symantec certificate. This means that if you have dynamic updates or direct integrations from your website that enhance the customer experience, these updates and integrations may fail or use their fallback mode.
What can you do?
As a marketer, the first thing you need to do is check your systems and platforms that you've been using across the board (for example, here is Marketo’s response.)
For more information on how to handle this issue (and keep ensuring a great customer experience and protecting your brand reputation), check out DemandLab's post on how to check if you're affected and what options you have.