Websites that are still using digital certificates issued by Chinese Certificate Authority WoSign may want to accelerate their plans to replace those certs. Google last week said it will fully distrust remaining certificates issued by the CA starting with Chrome 61.
Devon O’Brien of the Chrome security team said last week that the stable version of the browser reflecting this change should be ready in September, but it should show up in the Chrome Dev channel in the coming weeks and in the Chrome beta channel by the end of the month.
“We started the phase out in Chrome 56 by only trusting certificates issued prior to October 21st 2016, and subsequently restricted trust to a set of whitelisted hostnames based on the Alexa Top 1M. We have been reducing the size of the whitelist over the course of several Chrome releases,” O’Brien wrote. “Beginning with Chrome 61, the whitelist will be removed, resulting in full distrust of the existing WoSign and StartCom root certificates and all certificates they have issued.”
WoSign and its StartCom subsidiary were accused of a number of violations, starting last August when it was learned that the CA was back-dating deprecated SHA-1 certificates in order to side-step restrictions barring certs created with the insecure cryptographic hash function.
Mozilla and other leading browser makers began an investigation of the Chinese CA after WoSign was accused of miss-issuing free certificates to one of its customers by handing them a valid GitHub SSL certificate, enabling that customer if they had malicious intentions, to carry out man-in-the-middle attacks. WoSign’s validation process, it was alleged, was buggy and failed to notice that it was handing out certificates to customers for domains they did not own. The company was also accused of not reporting its acquisition of StartCom as required, and a number of other infractions that violate industry baseline requirements established by the CA/Browser Forum.
“Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA,” Mozilla said in a report published last September summarizing the investigation.
At the time, Mozilla said it would no longer trust newly issued certs from WoSign and would only trust older certs under certain circumstances. Google took a similar stance beginning in October with Chrome 56, and said it would whitelist certain pre-existing WoSign certificates in order to prevent widespread disruptions.
“In subsequent Chrome releases, these exceptions will be reduced and ultimately removed, culminating in the full distrust of these CAs. This staged approach is solely to ensure sites have the opportunity to transition to other Certificate Authorities that are still trusted in Google Chrome, thus minimizing disruption to users of these sites,” Google said in October. “Sites that find themselves on this whitelist will be able to request early removal once they’ve transitioned to new certificates.”
Apple, meanwhile, was the first to outright block WoSign certificates, citing “multiple control failures” in its announcement last October.
WoSign closed its free SSL certificate issuing service in late September.
With Chrome owning close to 50 percent of browser market share, the decision to fully distrust WoSign certs is likely to cause some interruptions for sites that have been slow to act.
“Sites still using StartCom or WoSign-issued certificates should consider replacing these certificates as a matter of urgency to minimize disruption for Chrome users,” O’Brien said.