Google joins Mozilla and Apple in distrusting WoSign certificates

With the release of Chrome version 56, expected to happen in January 2017, certificates issued by WoSign and its recently acquired StartCom certificate authority (CA) after midnight on October 21 will not be trusted by the browser.

Google said in a blog post that certificates issued prior to October 21 would be trusted if they complied with Chrome's Certificate Transparency policy, or the domain using the credentials was on a whitelist of domains known to be customers of the two authorities.

"Due to a number of technical limitations and concerns, Google Chrome is unable to trust all pre-existing certificates while ensuring our users are sufficiently protected from further misissuance," Andrew Whalley of Chrome Security said. "As a result of these changes, customers of WoSign and StartCom may find their certificates no longer work in Chrome 56."

Last week, Mozilla announced it would also ban new certificates signed off by WoSign and StartCom on the release of Firefox 51 in January.

Mozilla published an extensive list of issues with WoSign, which included incidents of backdating certificates to avoid browsers blocking certificates using the outdated SHA-1 algorithm, and denying its purchase of StartCom.

"WoSign and StartCom management actively attempted to mislead the browser community about the acquisition and the relationship of these two companies," Google said today.

WoSign was originally caught out issuing bogus certificates for GitHub in August.

"For both CAs, we have concluded there is a pattern of issues and incidents that indicate an approach to security that is not in concordance with the responsibilities of a publicly trusted CA," Whalley said.

Beyond Chrome 56, Google plans to reduce the exceptions for WoSign and StartCom until both CAs are fully distrusted.

"This staged approach is solely to ensure sites have the opportunity to transition to other Certificate Authorities that are still trusted in Google Chrome, thus minimising disruption to users of these sites," Whalley wrote. "Sites that find themselves on this whitelist will be able to request early removal once they've transitioned to new certificates."

"Any attempt by WoSign or StartCom to circumvent these controls will result in immediate and complete removal of trust."

In September, Apple said its products would no longer trust the WoSign CA Free SSL Certificate G2 intermediate authority.

"To avoid disruption to existing WoSign certificate holders and to allow their transition to trusted roots, Apple products will trust individual existing certificates issued from this intermediate CA and published to public Certificate Transparency log servers by 2016-09-19," Apple said. "They will continue to be trusted until they expire, are revoked, or are untrusted at Apple's discretion."