Recently Google warned website owners that it will completely ban digital certificates issued by the Chinese certificate authority WoSign and its subsidiary StartCom. The Tech giant will no longer trust the WoSign certificates starting with Chrome 61.
In September 2016, Mozilla announced that it was planning to ban the Chinese certificate authority WoSign due to a number of violations, including backdating SHA -1 certificates in order to subvert deprecating certs from being trusted.
According to a report published by Mozilla, WoSign failed to report its acquisition of SmartCom and it was also accused of mis-issuing digital certificates for GitHub, allowing arbitrary domain names to be securely signed without ever performing any type of validation.
In January 2017 Google released Chrome 56 which no longer accepted certificates issued by WoSign or StartCom after October 21, 2016.
Initially, Google has been restricting trust to popular hostnames based on the Alexa Top 1 Million list in order to avoid problems to website owners.
Starting with Chrome 61 it will no longer trust the certificates issued by the Chinese CA, even for the above Alexa Top 1 Million websites.
“As previously announced, Chrome has been in the process of removing trust from certificates issued by the CA WoSign and its subsidiary StartCom, as a result of several incidents not in keeping with the high standards expected of CAs.” states Devon O’Brien of the Chrome Security Team.
“We started the phase out in Chrome 56 by only trusting certificates issued prior to October 21st 2016, and subsequently restricted trust to a set of whitelisted hostnames based on the Alexa Top 1M. We have been reducing the size of the whitelist over the course of several Chrome releases.”
Chrome 61 will reach the Beta channel in late July 20, and the Stable channel in mid-September.
“Beginning with Chrome 61, the whitelist will be removed, resulting in full distrust of the existing WoSign and StartCom root certificates and all certificates they have issued.” continues Devon O’Brien.
Google has not specified if its decision to ban WoSign and StartCom certificates is temporary or permanent. Apple and Mozilla adopted a different approach, both decided to ban the companies for at least one year.
The Chinese CA certificate authority took serious action in hopes of obtaining forgiveness from web browser vendors, it changed leadership and announced the complete separation of WoSign from StartCom.
(Security Affairs – Certification Authorities, certification authority)