Google is planning to Distrust Symantec Certificates on google Chrome, will there be any effect on Atlassian JIRA Cloud?
Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.
Google communicated its plan to Distrust Symantec Certificates on google Chrome in a public posting (Refer : https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html ). We have had users wondering if this move affects Atlassian Cloud JIRA directly. Specifically , if there is a risk of JIRA Cloud experiencing certificate warnings and / or service disruption?
From an Atlassian perspective
- We do indeed have SSL setup, you can see mention here Compare Atlassian cloud vs server
It's secure - All Atlassian Cloud sites enforce SSL by default and are hosted in a secure hosting facility. See Trust @ Atlassian for more information.
- However we use the the HTTPS Java Default Trusted KeyStore Files and this list has no reference to Symantec
- This means that even by default Atlassian Cloud suite of products should not be affected by the Symantec change
For a general health check , we can advise the following on whether you need to address the update from Google on the changes planned on October 23,2018 when Chrome will fully remove trust in Symantec's old infrastructure and all of the certificates it has issued.
- Whether this means that you on your end to address this change is outlined below :
- This change seems to be only affecting Symantec's old infrastructure certificates
- For safe measures take a look at all certificates at your browser setup (again this is not related to Atlassian but more of a best practise check)
Open up Chrome Settings > Show advanced settings > HTTPS/SSL > Manage Certificates. Click the Authorities tab and scroll down to find your certificate under the Organization Name that you gave to the certificate.
- You need to ensure that all of those SSL certificates are valid per Google's latest requirement mentioned in the above security blog