Google Chrome's HTTPS ban-hammer drops on WoSign, StartCom in two months

Substandard certs, already in partial exile, soon to be shunned completely

Judiciary.gov.uk's expired certificate snafu, as seen via Firefox

Update Google in two months will conclude its prolonged excommunication of misbehaving SSL/TLS certificate authorities WoSign and subsidiary StartCom, a punishment announced last October.

Chrome security engineer Devon O'Brien, in a Google Groups post on Thursday, said Google last year began limiting its trust of certificates backed by the companies to those issued before October 21st, 2016, and has been winnowing whitelisted hostnames over the course of several Chrome releases.

Finally, the end is near.

"Beginning with Chrome 61, the whitelist will be removed, resulting in full distrust of the existing WoSign and StartCom root certificates and all certificates they have issued," O'Brien said. "Based on the Chromium Development Calendar, this change should be visible in the Chrome Dev channel in the coming weeks, the Chrome Beta channel around late July 2017, and will be released to Stable around mid September 2017."

As Google tells it, GitHub last August reported that WoSign issued a certificate for a GitHub domain without authorization. The ensuing investigation found that WoSign had been backdating certs to allow customers to continue using insecure SHA-1 crypto. It also concluded that WoSign had concealed its acquisition of StartCom and had brought its dubious practices to the Israeli firm.

Consequently, Apple, Mozilla, and Google announced plans to gradually stop trusting WoSign and StartCom certificates, in order to minimize disruptions to those with websites utilizing the condemned certs.

Mozilla's account of its inquiry indicates that problems with WoSign date back at least to early 2015.

WoSign did not immediately respond to a request for comment. The company claims to be one of the largest digital certificate providers in China. A tag line emblazoned on its website reads, "Making the internet more secure and trusted."

A StartCom customer support representative reached by phone and asked about Google's pending ban said, "We are working on it. We are on the last step and we need to pass some audits."

A further attempt to reach an authorized StartCom spokesperson brought no response.

Come September, if not already, visitors to websites safeguarded by WoSign or StartCom HTTPS certificates should see trust warnings in their browsers, advice that tends to limit traffic and ad revenue.

O'Brien advised sites still using certificates issued by WoSign or StartCom to "consider replacing these certificates as a matter of urgency to minimize disruption for Chrome users." ®

Updated to add

After this story was filed, Jane Jiang, a spokesperson for StartCom, replied to a request from The Reg: "This is regarding our old roots which we were using in startssl.com. Now we created new roots to issue certificate on startcomca.com, our new roots are on the way to seek relisting in the trust stores of browsers."

Jiang added, "Now we have got our audit reports for our new system and new roots, you may find them here. For issuing trusted cert, we may have more information at the end of this month."


Biting the hand that feeds IT © 1998–2017