Warning | Certificate Transparency error with Chrome 53

Alerts ID:    ALERT2160    Updated:    01/06/2017

Severity

Warning

Description

What is happening?

There is a bug in Chrome version 53 that affects some Symantec, GeoTrust, and Thawte SSL/TLS certificates resulting in an error displaying when visiting affected websites.  There are no issues with the certificates used on the affected sites, and replacing these certificates will not help.  This is entirely a bug with Certificate Transparency handling that is only present in some versions of Chrome (53 and 54).

UPDATED INFORMATION: Upon further investigation, Google has patched a majority of their applications and platforms, but there is still an outstanding issue with Android apps that leverage WebView version 53. A full list is listed below in this document.

 

Why Might a Customer Care?

Customers will care because sites protected with a valid Symantec, GeoTrust, and Thawte SSL/TLS certificates may be marked as untrusted by affected apps using Chrome v53 of WebView (an embedded version of Chrome used by some Android applications).

 

What are we doing about this?

We have created a blog post

In addition, we are in communication with Google as they work to resolve this issue.  

 

Customer Actions to Take

  1. Upgrade to Chrome application and platforms with version 55 or later.
  2. Use other browsers (Firefox, Safari, IE/Edge) as they do not have this bug.

 

Important Facts

  • This is a Google bug impacting some sub-versions of their Chrome 53 and 54 releases.
  • The issue remains primary for the WebView component impacting Android apps.
  • There are no issues with the certificates or the affected sites.
  • Replacing these certificates will not resolve this Chrome issue.

 

FAQs

Q. How big of an issue is this?

A. While Chrome browsers are set up to automatically update when a new Chrome version is released, the impact for these customers might be low. However Android users or Android Apps that utilize WebView need to manually download and apply the latest version to prevent the error from showing.

 

Q. Why is this issue happening with Chrome for Symantec certificates?

A. Google introduced a bug starting in Chrome 53, where 10 weeks after the build date, websites using Symantec issued certificates would display a Certificate Transparency error to customers. There are multiple sub versions of Chrome 53 so this issue manifests itself at different times for different end users depending on which exact version they have.

The issue persisted through Chrome 54 and has been resolved in the newest version, Chrome 55. Distribution of Chrome 55 is starting the week of December 5 (Chrome distributions ramp up over several days across their customer bases).

 

Q. How long does a Chrome update take to populate? How long will this issue exist?

A. With auto-update for desktop, Chrome builds typically reach saturation within about a week. For a majority of impacted platforms and OS's the issue is resolved, and requires no customer action. For mobile devices, it depends on the end user’s setting for auto-updating apps or not. In some cases, customers may stay on an older build until they manually update

 

Q. When did this get patched?

A. Google patched in Chrome 55.

 

Q. What dates did this issue get resolved?

A. Chrome “stable” versions are the versions pushed out via their update mechanisms and are most commonly used. Dates for current releases can be found here, and are copied below.
 

OS/Platform

User Action Required?

Chrome Mac

Chrome Windows

No

Chrome Linux

No

Chrome for Android
Chrome for iOS

No

Chromium

No action required by end users.
May require Chromium distributors to rebuild.

Chromium based browsers
(Opera, Opera Mini, Brave, Comodo Dragon)

No (n/a)

Chrome Custom Tabs

This is the modern embedded browser for Android

No.

WebView

This component is an embedded browser used in some Android apps. For example, an embedded browser might be used for an OAuth screen or an in-app web page display

YES

 

App users will need to update/download WebView/Chrome 55 from the App Store/PlayStore for the fix.

Downloading WebView/Chrome 54 today will provide a temporary solution.

 

Build ID 54.0.2840.68 Expires 12/27/2016

Build ID 54.0.2840.85 Expires 1/7/2017

Android Open Source Platform (AOSP)

Developers need to apply the patch and users need to install an update

 

Contact Support

Knowledge Center