That plan clearly states that all Symantec-issued certificates with a not-before date before June 1, 2016 would be distrusted in April. Is that not what happened?
https://www.republicservices.com/ is a site with a non-EV Symantec-branded certificate from August 2017 and it still works in Chrome 69 (and is blocked in Chrome 70 with a NET::ERR_CERT_SYMANTEC_LEGACY error).
www.McDonalds.com is another site with a non-EV certificate that will be blocked by Chrome 70, albeit with the GeoTrust brand instead of Symantec directly. Surely McDonalds has a large enough IT division to have noticed and updated by now if Chrome had been blocking their site since April.
Is it possible that you’re using a canary version of Chrome? Check chrome://version/, for me I see version 69 and I can go to https://www.paypal.com/ and see that the Symantec EV cert is still valid, which was issued in 2017. In particular, if you see version 70, I would expect you to get errors visiting PayPal, just like the roadmap says.
Personally I think it’s bad practice to have a cert last more than a year in the first place, due to a number of both operational concerns and security concerns, but that is neither here nor there.
This is not my experience -- can you show an example of a site with a cert that has been untrusted early from chrome? They specifically call out the types of certs and their sign dates in the timeline and everything I have seen has matched this timeline. They have, however, had very verbose logging warning in console that the cert on a given site _will be_ distrusted well ahead of time.
Can confirm here PayPal's Symantec Class 3 EV SSL CA - G3 signed certificate validates in Chrome 68 and 69 but returns NET::ERR_CERT_SYMANTEC_LEGACY on Chrome 70
I couldn't be more sure. My company had hundreds of certificates issued from Symantec, who was our main supplier. Basically, all our websites broke the day Chrome was updated. It was hell.
If it were actually allowed, I would upload some of the certificates and write a blog post to show you.
Paypal has an EV, I don't have EV. Maybe these were not blacklisted. The rest was.
Uh, we used to use them, and switched in June. Our certificates behaved normally. I have no idea what was going on with yours, but clearly "all certificates" were not.
We also received I don't know how many notifications of the impending changes. They were plentiful enough that it got annoying. Assuming one actually has valid email addresses to which attention is paid for these communications.
That plan clearly states that all Symantec-issued certificates with a not-before date before June 1, 2016 would be distrusted in April. Is that not what happened?