Google refused to trust certificates WoSign and StartCom

notrust

Following a similar decision taken by Mozilla and Apple, Google decided to abandon the new digital certificates issued by the two certification authorities – WoSign and StartCom. The reason is that these CAs are breaking the rules and industry best practices. Ban will come into force in the version of Chrome 56. Now this version is in development. All certificates issued from 21 October by CA WoSign and StartCom, be untrusted. Browsers use digital certificates to authenticate websites and to install encrypted connections to Web resources.

Certificates issued before 21 October, will be trusted only if they are published in the certificates transparency logs, or if they are issued for a limited number of domains belonging WoSign and StartCom known customers.

Ban based on the investigation on the part of the Mozilla, which showed that process of issuing certificates from WoSign have numerous problems. WoSign – Chinese CA. The investigation also revealed that WoSign secretly bought in 2015 StartCom CA, which is based in Israel, and the deal was not disclosed, and browsers do not know about it.

Among the problems found are also 64 cases when WoSign certificates issued retrospectively. They produced a certificate signed by the SHA-1 algorithm, which the industry declined in January 2016. CA continued to produce the SHA-1 certificates, trying to hide the violations, signing certificates as if they were issued before January 1, 2016.

Qihoo 360 company, owns WoSign and StartCom implicitly, decided to take a step forward and separate the two CAs that use the same infrastructure, certificate issuance systems and staff during the year.

CEO, Richard Wang, was fired after being confirmed that he has released 42 SHA-1 certificate and 2 WoSign SHA-1 certificate StartCom. However, the company asked for browser vendors to punish WoSign and StartCom separately, given the long history StartCom as a trusted certificate provider.

However, as it turned out, the browser vendors acted very strongly. They forbade WoSign and StartCom certificates without making a difference between them. StartCom operating since 1999, is the first certification authority offering free SSL-certificates. Unlike WoSign, StartCom majority of customers are located outside of China.

“Due to the number of problems found and attempts of fraud, Chrome can no longer trust the previously issued certificates,” said Andrew Whalley from the Chrome team. “As a result WoSign and StartCom customers may find that their certificates are no longer working in the Chrome 56”.

In addition, all the exceptions that were made for certificates issued before 21 October, are only temporary. They were made to customers of certification authorities were able to move to another CA. Exceptions will be corrected in future versions of Chrome, and two certification authority eventually completely lose their trust.

Posted in CA, Validation, Vulnerabilities Tagged with: , , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

All about SSL

This site is dedicated to SSL-certificates. You will learn what is an SSL certificate, how to issue and reissue it. FAQ SSL will be useful for both novices and pros. SSL Knowledgebase contains sections on validation, trust logo, vulnerabilities, SSL-certificates differences by type (Wildcard, EV, DV, etc.), as well as many other things.