Connect with us

Hi, what are you looking for?



Google to Distrust WoSign, StartCom Certificates

Google announced on Monday that it has decided to distrust certificates from WoSign and StartCom due to their failure to maintain the high standards expected of certificate authorities (CAs).

Google announced on Monday that it has decided to distrust certificates from WoSign and StartCom due to their failure to maintain the high standards expected of certificate authorities (CAs).

Google joins Apple and Mozilla, which also decided to revoke trust in WoSign and StartCom certificates after the Chinese CA and its subsidiary were involved in more than a dozen incidents since January 2015. Web browser vendors are mainly unhappy that the companies backdated some certificates to bypass restrictions, and they did not inform them about StartCom’s acquisition by WoSign.

“For both CAs, we have concluded there is a pattern of issues and incidents that indicate an approach to security that is not in concordance with the responsibilities of a publicly trusted CA,” said Google’s Andrew Whalley.

Certificates issued by WoSign and StartCom after October 21 will not be trusted beginning with Chrome 56. In an effort to avoid major disruptions, certificates issued before this date will continue to be trusted for a while longer if they comply with Chrome’s Certificate Transparency policy or if they are used by specific domains known to be customers of these CAs. Google says it’s unable to trust all certificates while ensuring that its users are protected.

“In subsequent Chrome releases, these exceptions will be reduced and ultimately removed, culminating in the full distrust of these CAs. This staged approach is solely to ensure sites have the opportunity to transition to other Certificate Authorities that are still trusted in Google Chrome, thus minimizing disruption to users of these sites,” Whalley explained.

Google warned that all WoSign and StartCom certificates will be immediately distrusted if the CAs try to bypass these controls.

StartCom and Qihoo 360, WoSign’s largest shareholder, have attempted to convince browser vendors not to distrust their certificates. They promised to make StartCom a completely separate company and even made leadership changes. However, both Mozilla and Google felt that the management of these CAs had been deceptive and misleading.

Related: Google to Remove Symantec Root Certificate From Products

Advertisement. Scroll to continue reading.

Related: Google Adds Certificate Transparency Log for Untrusted CAs

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Web scraping is a sensitive issue. Should a third party be allowed to visit a website and use automated tools to gather and store...

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...