Google announced Monday that when it ships Chrome 56 in January 2017 the browser will distrust certificates issued by Chinese certificate authoritiesWoSign and StartCom that have made headlines over the past month.
The move was somewhat expected after Mozilla announced last week the company would begin distrusting certificates from the same CAs in Firefox 51, also slated to launch in January.
Both companies have publicly blamed WoSign for failing to adhere to standards expected of certificate authorities. Google blamed WoSign’s acquisition of StartCom, a move it tried to sweep under the rug in September
Mozilla in particular released a five-page report in late September explaining missteps made by WoSign and StartCom. the most glaring perhaps the fact the CA was found backdating SSL certificates to circumvent a deadline requiring CAs to stop issuing SHA-1 SSL certs by Jan. 1, 2016. Microsoft’s Edge and Internet Explorer browsers are scheduled to block SHA-1 certs, widely viewed as unstable, while Firefox and Chrome deprecated the algorithm at the beginning of this year. WoSign backdated certificates to December 2015 on 62 occasions for certs it issued in 2016 to get around that restriction, according to Mozilla’s report.
Like Mozilla, Andrew Whalley, a member of the company’s Chrome Security team, said Google was made aware of WoSign’s malfeasances in mid-August when the company issued a cert for Github’s domains without Github’s authorization.
> An update on WoSign and StartCom in Google Chrome: <https://t.co/uctoVvtaC4> > > — Andrew R. Whalley (@arw) October 31, 2016
WoSign’s acquisition of StartCom led to a shakeup in staff, policies, and issuance systems, which directly mislead the browser community, in the eyes of Google. Whalley claims that the way the company went about its acquisition of StartCom and the mis-issued certificates were tipping points for the company.
“For both CAs, we have concluded there is a pattern of issues and incidents that indicate an approach to security that is not in concordance with the responsibilities of a publicly trusted CA,” Whalley said.
Much like Mozilla did last week, Google said Monday it will distrust WoSign and StartCom certs issued after Oct. 21 in Chrome 56. Certs issued before Oct. 21 will be trusted assuming they comply with Chrome’s policies but Google says it reserves the right to fully distrust all of WoSign’s certs in future releases. Adding a sense of urgency to the situation, Whalley adds that in some instances, WoSign and StartCom customers may find their certificates don’t work at all in Chrome 56.
Users are being encouraged to switch to another CA that is trusted by Chrome; any sites still using the old certs will be put on a whitelist and can request to be removed once they’ve transitioned.
“Any attempt by WoSign or StartCom to circumvent these controls will result in immediate and complete removal of trust,” Whalley warns.
Kathleen Wilson, the owner of Mozilla’s CA Certificates Module and Policy, said last week that the company will remove the affected root certs from its root store at some point – likely after March 2017 – but if WoSign’s new root certs are accepted for inclusion, it could change the removal date to coincide with WoSign’s plans to move customers to the new certs.
It’s still unclear when or if Microsoft, one of the last remaining major root certificate stores, will revoke trust for WoSign and StartCom. The company did not immediately return a request for comment on Tuesday.
Both WoSign code signing certificates and WoSign EV code signing certificates are still trusted by Windows and four of WoSign’s root certificates are still listed as on Microsoft’s Trusted Root Certificate Program list. Microsoft’s Azure Key Vault, which allows users to save keys and other cloud app data, also supports WoSign for SSL certs.