StartCom and WoSign –Major SSL Certificate Authorities – Banned by Google Chrome

Major SSL Certificates Banned by Google Chrome!

In accordance with the terms of a punishment announced by Google the previous year, the web giant has issued a statement saying that it can no longer trust TLS or SSL certificate authorities WoSign as well as its subsidiary, StartCom. This comes right before the launch of the Chrome 61. The reason for this ban? Well, according to Google, the two certificate authorities failed to live up to the high standards expected on the part of CAs.

While shocking, the move can hardly be called a surprise considering how Google was sent notifications by the security team at GitHub on 17^th August last year, regarding the fact that WoSign – the Chinese Certificate Authority – had handed out a base certificate for one of the domains of GitHub to an undisclosed GitHub user without asking for any kind of authorization.

Why Google Came up with the Decision?

Once news of this problem got out, a full-fledged investigation was launched by the Google team. This investigation was to be a public one in collaboration with Mozilla and the larger security community. The investigation very soon turned up some interesting evidence regarding various other cases that involved the improper issuance of certificates on the part of WoSign.

Due to the outcome of the investigation, Google was left with no choice but to decrease the trust of certificates that were backed by StartCom and WoSign to ones that had been issued before the 21^st of October last year. Moreover, the tech giant is currently in the process of removing various whitelisted hostnames across the course of different Chrome releases since the Google Chrome 56.

Now, according to the contents of a recent Google post by Devon O’Brien, a security engineer for Chrome, the company would finally be removing the whitelist from the latest release of Chrome. What this means is that Google has decided to fully distrust the present StartCom and WoSign certificates. O’Brien says that starting with Chrome 61, the whitelist is no longer going to be there, thereby leading to a full distrust of any existing root certificates by WoSign and StartCom, its subsidiary, along with any certificates that were issued by them.

According to the Chromium Development Calender, all of these changes that were implemented are going to be visible in the Chrome Dev channel within the span of the next few weeks. The Chrome Beta channel is going to showcase these changes around the later part of July 2017, while the Stable version will be reflecting these changes around the middle of the month of September 2017.

In the past year, Mozilla and Apple revoked their trust from WoSign, and it was StartCom who issued the certificates for their web browsers owing to a number of management and technical failures.

They are Backdating SSL Certificates

According to Kathleen Wilson, who is the head of the trusted root program for Mozilla, they found evidence that WoSign and StartCom were backdating SSL certificates so that they could find a way past the deadline, which prevented CAs from issuing any SHA-1 SSL certificates after the 1^st of January, 2016. This is a very serious claim and could have major repercussions for the SSL Certificate authorities in the future.

That’s not all, however. It was Mozilla who also discovered that WoSign had taken full-time ownership of a different CA known as StartCom but had failed to reveal this information, despite it being mentioned clearly in Mozilla policy.

Issues with the WoSign certificate service date back all the way to July 2015, and this information was disclosed in public the previous year by Gervase Markham. According to the British Mozilla programmer, an unidentified researcher stumbled upon this security oversight by accident when he was attempting to receive a certificate for “med.ucf.edu”. He had also sent in an application for “www.ucf.ed” and WoSign had given it the approval, providing the certificate for the primary domain of the university.

To test this out, the security researcher used the same trick against GitHub based domains. He proved his control on a subdomain and shockingly, WoSign gave him the certificate for the main domains of GitHub too.

Thus, beginning later this year from the September of 2017, anybody visiting websites that use StartCom and WoSign HTTPS certificates are going to get trust warnings on their web browsers.