Update: Mozilla is moving forward with our implementation of the consensus plan for Symantec roots [1]. With the exception of whitelisted subordinate CAs using the keys listed on the wiki [2], Symantec certificates are now blocked by default on Nightly builds of Firefox. The preference "security.pki.distrust_ca_policy" can be used to override these changes. A custom error message is also being implemented [3]. These changes are part of Firefox 60, which is scheduled to be released in May [4].
There are still a lot of websites using Symantec certificates, but the number are declining rapidly. Lists of affected sites and regularly updated metrics are available via bug 1434300 [5]. - Wayne [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/FLHRT79e3XE/ 90qkf8jsAQAJ [2] https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1441223 [4] https://wiki.mozilla.org/RapidRelease/Calendar [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1434300 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy