Google guillotine falls on certificate authorities WoSign, StartCom

When Chrome 61 is released, the Chinese CA and its subsidiary will be completely blacklisted.
Written by Charlie Osborne, Contributing Writer

Google has warned that all certificates issued by Chinese company WoSign and subsidiary StartCom will be distrusted with the release of Chrome 61.

According to a Google Groups post published by Chrome security engineer Devon O'Brien, due to "several incidents" involving the certificate authority which have "not [been] in keeping with the high standards expected of CAs," Google Chrome has already begun phasing out WoSign and StartCom by only trusting certificates issued prior to October 21, 2016.

The tech giant is soon to go further and will completely distrust any certificate issued by the companies within a matter of months.

The Chrome development team have restricted trust through a whitelist of hostnames which are based on the Alexa Top one million sites, and this list has been pruned down over the course of Chrome releases.

Once version 61 is ready for public release, this will fully distrust any existing WoSign and StartCom root certificates and all certificates they have issued.

"Beginning with Chrome 61, the whitelist will be removed, resulting in full distrust of the existing WoSign and StartCom root certificates and all certificates they have issued," the engineer said. "Sites still using StartCom or WoSign-issued certificates should consider replacing these certificates as a matter of urgency to minimize disruption for Chrome users."

The move to begin blacklisting the CA authority occurred last year. In August 2016, WoSign was caught issuing fake HTTPS certificates for GitHub domains, which are a severe security risk as attackers could use the certificate to impersonate GitHub domains to compromise user communications.

Google and Mozilla then teamed up to investigate the CA and managed to uncover other instances of unauthorized certificates being issued.

Chrome version 56 was the first to disallow certificates issued by WoSign and StartCom, after "technical limitations and concerns" raised concerns that the CA was not complying with Chrome's Certificate Transparency policy.

Mozilla also announced plans to ban new certificates signed off by WoSign and StartCom through Firefox 51, released in January.

The tech giant said that WoSign backdated certificates to avoid an industry-wide push to eradicate the outdated SHA-1 encryption algorithm, and also accused the company of being deceptive in denying its ownership of StartCom, an Israeli certificate authority.

"The levels of deception demonstrated by representatives of the combined company have led to Mozilla's decision to distrust future certificates chaining up to the currently-included WoSign and StartCom root certificates," the company said.

Apple was quick to follow suit with plans to distrust some WoSign andStartCom certificates on an individual basis.

See also: How to master Google Chrome

As the enterprise had adopted Google Chrome and usage rates continue to rise, in May, Google rolled out updates to Chrome which gives IT administrators a single installation package to download, containing Chrome MSI, the Chrome Legacy Browser Support (LBS) extension, and administrative policy templates

Top tips to stay safe on public Wi-Fi networks

Editorial standards