As a punishment announced last October, Google will no longer trust SSL/TLS certificate authorities WoSign and its subsidiary StartCom with the launch of Chrome 61 for not maintaining the “high standards expected of CAs.”
The move came after Google was notified by GitHub’s security team on August 17, 2016, that Chinese Certificate Authority WoSign had issued a base certificate for one of GitHub’s domains to an unnamed GitHub user without authorization.
After this issue had been reported, Google conducted an investigation in public as a collaboration with Mozilla and the security community, which uncovered several other cases of WoSign misissuance of certificates.
As a result, the tech giant last year began limiting its trust of certificates backed by WoSign and StartCom to those issued before October 21st, 2016 and has been removing whitelisted hostnames over the course of several Chrome releases since Chrome 56.
Now, in a Google Groups post published on Thursday, Chrome security engineer Devon O’Brien said the company would finally remove the whitelist from its upcoming release of Chrome, completely distrusting the existing WoSign and StartCom certificates.
“Beginning with Chrome 61, the whitelist will be removed, resulting in full distrust of the existing WoSign and [its subsidiary] StartCom root certificates and all certificates they have issued,” says O’Brien.
“Based on the Chromium Development Calendar, this change should be visible in the Chrome Dev channel in the coming weeks, the Chrome Beta channel around late July 2017, and will be released to Stable around mid-September 2017.”
“Most seriously, we discovered they were backdating SSL certificates to get around the deadline that CAs stop issuing SHA-1 SSL certificates by January 1, 2016,” Kathleen Wilson, the head of Mozilla’s trusted root program, said.
“Additionally, Mozilla discovered that WoSign had acquired full ownership of another CA called StartCom and failed to disclose this, as required by Mozilla policy.”
The problems with WoSign certificate service dated back to July 2015 and publicly disclosed last year by British Mozilla programmer Gervase Markham on Mozilla’s security policy mailing list.
According to Markham, an unnamed researcher accidentally found this security blunder when trying to get a certificate for ‘med.ucf.edu’ but also applied for ‘www.ucf.edu’ and WoSign approved it, giving the certificate for the university’s primary domain.
For testing purpose, the security researcher then used this trick against Github base domains (github.com and github.io), by proving his control over a sub-domain.
And guess what? WoSign handed over the certificate for GitHub main domains, as well.
Starting from September 2017, visitors to sites using WoSign or StartCom HTTPS certificates would eventually see trust warnings in their web browsers.
So, websites that are still relying on certificates issued by WoSign or StartCom are advised to consider replacing their certificates “as a matter of urgency to minimize disruption for Chrome users,” O’Brien said.