Toestenbordtoets met slotje

Distrust of Symantec SSL certificates

By Benjamin W. Broersma, developer in the team of Open State Foundation since July 2018.

With Pulse we monitor the state of HTTPS in the public sector. In the last update of August there were no big changes. Yesterday however, I got a SSL error when visiting sidn.nl and beta.overheid.nl (SIDN changed their certificate a few hours after notification). This is due to some changes in Chrome and Firefox which both will distrust Symantec SSL certificates over the next weeks (including the brand names GeoTrust, RapidSSL and thawte). This decision was announced long in advance and did not yet make big headlines, in contrast with the DigiNotar incident, although this time it concerns a way larger player in the market.

The code

Following these SSL errors I wondered how many public sector HTTPS websites were still using old Symantec SSL certificates. Using the domain name lists of Pulse, it’s easy to make a (poor-man’s Pulse) quick scan:

curl -sSf 'https://pulse.openstate.eu/data/domains/https.csv' | csvjson | jq '.[].URL|select(.[0:8]=="https://")|.[8:]' -r | xargs -P 20 -I% bash -c 'echo|timeout 5 openssl s_client -connect "%" -servername "%" -port 443 2>/dev/null | grep -E "^issuer=.*/O=(GeoTrust|thawte|Symantec)"|sed "s/^/%\t/"'
# needed packages: curl jq python3-csvkit openssl

Quick Scan results

Below you can find the list with 100 domain names that still have to change their SSL certificate, and in the next week the beta users of Chrome & Firefox browsers will see SSL errors when trying to visit there sites. The list is a snapshot taken on Monday 27 August 2018, it could be that some sites changed their SSL certificate in the mean time. Both SSL Labs Server Test and Chrome Developer tools give notice of Symantec SSL certificates, or test the website in Firefox nightly or Chrome canary.

Government

hetzorgverhaal.nl
lintjes.nl
rudnhn.nl
www.ameland.nl
www.bsgw.nl
www.bsr.nl
www.bunnik.nl
www.capelleaandenijssel.nl
www.heemskerk.nl
www.ikdoemee.nl*
www.kansspelautoriteit.nl
www.landerd.nl*
www.mijnnfi.nl
www.portofamsterdam.com
www.schiermonnikoog.nl*
www.staatsbosbeheer.nl
www.vechtstromen.nl

Heathcare

advisium.sheerenloo.nl
allerzorg.nl
de-tandarts.net*
dental-center.nl
dietistenmetsmaak.nl
dietisthilversum.nl
empathon.nl
huisartsenijsselmuiden.nl
huisartspraktijkmozaiek.nl
libranet.nl
medischcentrumaj.nl
natuurlijkbeter.com
nl.boots.com
psychopraktijkdronten.nl
rijndam.nl
spaarnegasthuis.nl
www.amaris.nl
www.bergmanclinics.nl
www.burgenvanriel.nl
www.davincikliniek.nl
www.fysio-debleek.nl
www.fysiotherapiehavenstraat.nl
www.fysiotherapierijnmond.nl
www.fysiotherapiewaldeck.nl
www.herlaarhof.nl
www.jeugdformaat.nl
www.kinderfysiotherapie-emmen.nl
www.noorderbrug.nl
www.pkzkraamzorg.com
www.pro-f.nl
www.revant.nl
www.sheerenloo.nl
www.sintlucasandreasziekenhuis.nl
www.spierziekten.nl
www.tandinzicht.nl
www.travelclinic.com
www.vosonline.net
www.vvaa.nl
www.zorggroepreinalda.nl
www.zuidzorg.nl
www.zuwehofpoort.nl
zeelandcare.com

Education

hotelschool.nl
vanlodenstein.nl
www.csdehoven.nl
www.derooipannen.nl

delinde.dse.nl
kameleon.dse.nl
www.dse.nl

diamant.pcboapeldoorn.nl
emma.pcboapeldoorn.nl
gong.pcboapeldoorn.nl
ichthus.pcboapeldoorn.nl
kompas.pcboapeldoorn.nl
kring.pcboapeldoorn.nl
kws.pcboapeldoorn.nl
ploeg.pcboapeldoorn.nl
terebint.pcboapeldoorn.nl

antoniusaxel.ogperspecto.nl
bsclinge.ogperspecto.nl
debrug.ogperspecto.nl
degeule.ogperspecto.nl
dekameleon.ogperspecto.nl
dekreeke.ogperspecto.nl
deschakel.ogperspecto.nl
destatie.ogperspecto.nl
dewereldboom.ogperspecto.nl
heidepoort.ogperspecto.nl
hetmozaiek.ogperspecto.nl
inghelosenberghe.ogperspecto.nl
irisschool.ogperspecto.nl
laureyn.ogperspecto.nl
marijkeschool.ogperspecto.nl
meerpaal.ogperspecto.nl
oostvogel.ogperspecto.nl
opweg.ogperspecto.nl
stjozef.ogperspecto.nl
terdoest.ogperspecto.nl
tgetij.ogperspecto.nl
tgeuzennest.ogperspecto.nl
tvogelnest.ogperspecto.nl
twijn.ogperspecto.nl
vlaswiek.ogperspecto.nl

* between the initial scan and checking of the command, these sites already changed their certificate (4 out of 100)

Timeline of Chrome & Firefox
Date Release
2018-06-25 First Nightly Firefox 63
2018-08-14 First Canary Chrome 70 (dev-channel)
2018-09-05 First Beta Firefox 63
2018-09-13 First Beta Chrome 70
2018-10-16 Chrome 70 release
2018-10-23 Firefox 63 release

 

envelope

Want to stay informed?