{"id":8020,"date":"2018-08-28T17:13:32","date_gmt":"2018-08-28T15:13:32","guid":{"rendered":"https:\/\/openstate.eu\/en\/?p=8020"},"modified":"2022-02-25T10:33:45","modified_gmt":"2022-02-25T09:33:45","slug":"distrust-of-symantec-ssl-certificates","status":"publish","type":"post","link":"https:\/\/openstate.eu\/en\/2018\/08\/distrust-of-symantec-ssl-certificates\/","title":{"rendered":"Distrust of Symantec SSL certificates"},"content":{"rendered":"

By Benjamin W. Broersma, developer in the team<\/a> of Open State Foundation since July 2018.<\/em><\/p>\n

With Pulse<\/a> we monitor the state of HTTPS in the public sector. In the last update of August there were no big changes. Yesterday however, I got a SSL error when visiting sidn.nl and beta.overheid.nl (SIDN changed their certificate a few hours after notification). This is due to some changes in Chrome<\/a> and Firefox<\/a> which both will distrust Symantec SSL certificates over the next weeks (including the brand names GeoTrust, RapidSSL and thawte). This decision was announced long in advance and did not yet make big headlines, in contrast with the DigiNotar incident<\/a>, although this time it concerns a way larger player in the market.<\/p>\n

The code<\/h3>\n

Following these SSL errors I wondered how many public sector HTTPS websites were still using old Symantec SSL certificates. Using the domain name lists of Pulse, it’s easy to make a (poor-man’s<\/em> Pulse) quick scan:<\/p>\n

curl -sSf 'https:\/\/pulse.openstate.eu\/data\/domains\/https.csv' | csvjson | jq '.[].URL|select(.[0:8]==\"https:\/\/\")|.[8:]' -r | xargs -P 20 -I% bash -c 'echo|timeout 5 openssl s_client -connect \"%\" -servername \"%\" -port 443 2>\/dev\/null | grep -E \"^issuer=.*\/O=(GeoTrust|thawte|Symantec)\"|sed \"s\/^\/%\\t\/\"'\r\n# needed packages: curl jq python3-csvkit openssl\r\n<\/pre>\n
<\/h3>\n
Quick Scan results<\/h3>\n
Below you can find the list with 100 domain names that still have to change their SSL certificate, and in the next week the beta users of Chrome & Firefox browsers will see SSL errors when trying to visit there sites. The list is a snapshot taken on Monday 27 August 2018, it could be that some sites changed their SSL certificate in the mean time. Both SSL Labs Server Test<\/a> and Chrome Developer tools<\/a> give notice of Symantec SSL certificates, or test the website in Firefox nightly<\/a> or Chrome canary<\/a>.<\/p>\n
Government<\/h3>\n
hetzorgverhaal.nl\r\nlintjes.nl\r\nrudnhn.nl\r\nwww.ameland.nl\r\nwww.bsgw.nl\r\nwww.bsr.nl\r\nwww.bunnik.nl\r\nwww.capelleaandenijssel.nl\r\nwww.heemskerk.nl\r\nwww.ikdoemee.nl*\r\nwww.kansspelautoriteit.nl\r\nwww.landerd.nl*\r\nwww.mijnnfi.nl\r\nwww.portofamsterdam.com\r\nwww.schiermonnikoog.nl*\r\nwww.staatsbosbeheer.nl\r\nwww.vechtstromen.nl<\/pre>\n
<\/h3>\n
Heathcare<\/h3>\n
advisium.sheerenloo.nl\r\nallerzorg.nl\r\nde-tandarts.net*\r\ndental-center.nl\r\ndietistenmetsmaak.nl\r\ndietisthilversum.nl\r\nempathon.nl\r\nhuisartsenijsselmuiden.nl\r\nhuisartspraktijkmozaiek.nl\r\nlibranet.nl\r\nmedischcentrumaj.nl\r\nnatuurlijkbeter.com\r\nnl.boots.com\r\npsychopraktijkdronten.nl\r\nrijndam.nl\r\nspaarnegasthuis.nl\r\nwww.amaris.nl\r\nwww.bergmanclinics.nl\r\nwww.burgenvanriel.nl\r\nwww.davincikliniek.nl\r\nwww.fysio-debleek.nl\r\nwww.fysiotherapiehavenstraat.nl\r\nwww.fysiotherapierijnmond.nl\r\nwww.fysiotherapiewaldeck.nl\r\nwww.herlaarhof.nl\r\nwww.jeugdformaat.nl\r\nwww.kinderfysiotherapie-emmen.nl\r\nwww.noorderbrug.nl\r\nwww.pkzkraamzorg.com\r\nwww.pro-f.nl\r\nwww.revant.nl\r\nwww.sheerenloo.nl\r\nwww.sintlucasandreasziekenhuis.nl\r\nwww.spierziekten.nl\r\nwww.tandinzicht.nl\r\nwww.travelclinic.com\r\nwww.vosonline.net\r\nwww.vvaa.nl\r\nwww.zorggroepreinalda.nl\r\nwww.zuidzorg.nl\r\nwww.zuwehofpoort.nl\r\nzeelandcare.com<\/pre>\n
<\/h3>\n
Education<\/h3>\n
hotelschool.nl\r\nvanlodenstein.nl\r\nwww.csdehoven.nl\r\nwww.derooipannen.nl\r\n\r\ndelinde.dse.nl\r\nkameleon.dse.nl\r\nwww.dse.nl\r\n\r\ndiamant.pcboapeldoorn.nl\r\nemma.pcboapeldoorn.nl\r\ngong.pcboapeldoorn.nl\r\nichthus.pcboapeldoorn.nl\r\nkompas.pcboapeldoorn.nl\r\nkring.pcboapeldoorn.nl\r\nkws.pcboapeldoorn.nl\r\nploeg.pcboapeldoorn.nl\r\nterebint.pcboapeldoorn.nl\r\n\r\nantoniusaxel.ogperspecto.nl\r\nbsclinge.ogperspecto.nl\r\ndebrug.ogperspecto.nl\r\ndegeule.ogperspecto.nl\r\ndekameleon.ogperspecto.nl\r\ndekreeke.ogperspecto.nl\r\ndeschakel.ogperspecto.nl\r\ndestatie.ogperspecto.nl\r\ndewereldboom.ogperspecto.nl\r\nheidepoort.ogperspecto.nl\r\nhetmozaiek.ogperspecto.nl\r\ninghelosenberghe.ogperspecto.nl\r\nirisschool.ogperspecto.nl\r\nlaureyn.ogperspecto.nl\r\nmarijkeschool.ogperspecto.nl\r\nmeerpaal.ogperspecto.nl\r\noostvogel.ogperspecto.nl\r\nopweg.ogperspecto.nl\r\nstjozef.ogperspecto.nl\r\nterdoest.ogperspecto.nl\r\ntgetij.ogperspecto.nl\r\ntgeuzennest.ogperspecto.nl\r\ntvogelnest.ogperspecto.nl\r\ntwijn.ogperspecto.nl\r\nvlaswiek.ogperspecto.nl\r\n<\/pre>\n
* between the initial scan and checking of the command, these sites already changed their certificate (4 out of 100)
\n<\/em><\/p>\n\n\n\n\n\n\n\n\n\n\n
Timeline of Chrome & Firefox<\/caption>\n
Date<\/strong><\/td>\nRelease<\/strong><\/td>\n<\/tr>\n<\/thead>\n
2018-06-25<\/em><\/td>\nFirst Nightly Firefox 63<\/em><\/td>\n<\/tr>\n
2018-08-14<\/em><\/td>\nFirst Canary Chrome 70 (dev-channel)<\/em><\/td>\n<\/tr>\n
2018-09-05<\/td>\nFirst Beta Firefox 63<\/td>\n<\/tr>\n
2018-09-13<\/td>\nFirst Beta Chrome 70<\/td>\n<\/tr>\n
2018-10-16<\/td>\nChrome 70 release<\/td>\n<\/tr>\n
2018-10-23<\/td>\nFirefox 63 release<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
 <\/p>","protected":false},"excerpt":{"rendered":"
By Benjamin W. Broersma, developer in the team of Open State Foundation since July 2018. With Pulse we monitor the state of HTTPS in the public … Read more<\/a><\/p>\n","protected":false},"author":48,"featured_media":8227,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[526],"tags":[],"class_list":["post-8020","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-pulse-2"],"acf":[],"_links":{"self":[{"href":"https:\/\/openstate.eu\/en\/wp-json\/wp\/v2\/posts\/8020","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/openstate.eu\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/openstate.eu\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/openstate.eu\/en\/wp-json\/wp\/v2\/users\/48"}],"replies":[{"embeddable":true,"href":"https:\/\/openstate.eu\/en\/wp-json\/wp\/v2\/comments?post=8020"}],"version-history":[{"count":16,"href":"https:\/\/openstate.eu\/en\/wp-json\/wp\/v2\/posts\/8020\/revisions"}],"predecessor-version":[{"id":8038,"href":"https:\/\/openstate.eu\/en\/wp-json\/wp\/v2\/posts\/8020\/revisions\/8038"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/openstate.eu\/en\/wp-json\/wp\/v2\/media\/8227"}],"wp:attachment":[{"href":"https:\/\/openstate.eu\/en\/wp-json\/wp\/v2\/media?parent=8020"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/openstate.eu\/en\/wp-json\/wp\/v2\/categories?post=8020"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/openstate.eu\/en\/wp-json\/wp\/v2\/tags?post=8020"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}