Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Google to Distrust WoSign, StartCom Certificates

Google announced on Monday that it has decided to distrust certificates from WoSign and StartCom due to their failure to maintain the high standards expected of certificate authorities (CAs).

Google announced on Monday that it has decided to distrust certificates from WoSign and StartCom due to their failure to maintain the high standards expected of certificate authorities (CAs).

Google joins Apple and Mozilla, which also decided to revoke trust in WoSign and StartCom certificates after the Chinese CA and its subsidiary were involved in more than a dozen incidents since January 2015. Web browser vendors are mainly unhappy that the companies backdated some certificates to bypass restrictions, and they did not inform them about StartCom’s acquisition by WoSign.

“For both CAs, we have concluded there is a pattern of issues and incidents that indicate an approach to security that is not in concordance with the responsibilities of a publicly trusted CA,” said Google’s Andrew Whalley.

Certificates issued by WoSign and StartCom after October 21 will not be trusted beginning with Chrome 56. In an effort to avoid major disruptions, certificates issued before this date will continue to be trusted for a while longer if they comply with Chrome’s Certificate Transparency policy or if they are used by specific domains known to be customers of these CAs. Google says it’s unable to trust all certificates while ensuring that its users are protected.

“In subsequent Chrome releases, these exceptions will be reduced and ultimately removed, culminating in the full distrust of these CAs. This staged approach is solely to ensure sites have the opportunity to transition to other Certificate Authorities that are still trusted in Google Chrome, thus minimizing disruption to users of these sites,” Whalley explained.

Google warned that all WoSign and StartCom certificates will be immediately distrusted if the CAs try to bypass these controls.

StartCom and Qihoo 360, WoSign’s largest shareholder, have attempted to convince browser vendors not to distrust their certificates. They promised to make StartCom a completely separate company and even made leadership changes. However, both Mozilla and Google felt that the management of these CAs had been deceptive and misleading.

Related: Google to Remove Symantec Root Certificate From Products

Related: Google Adds Certificate Transparency Log for Untrusted CAs

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...