Security Experts:

Google to Distrust WoSign, StartCom Certificates

Google announced on Monday that it has decided to distrust certificates from WoSign and StartCom due to their failure to maintain the high standards expected of certificate authorities (CAs).

Google joins Apple and Mozilla, which also decided to revoke trust in WoSign and StartCom certificates after the Chinese CA and its subsidiary were involved in more than a dozen incidents since January 2015. Web browser vendors are mainly unhappy that the companies backdated some certificates to bypass restrictions, and they did not inform them about StartCom’s acquisition by WoSign.

“For both CAs, we have concluded there is a pattern of issues and incidents that indicate an approach to security that is not in concordance with the responsibilities of a publicly trusted CA,” said Google’s Andrew Whalley.

Certificates issued by WoSign and StartCom after October 21 will not be trusted beginning with Chrome 56. In an effort to avoid major disruptions, certificates issued before this date will continue to be trusted for a while longer if they comply with Chrome’s Certificate Transparency policy or if they are used by specific domains known to be customers of these CAs. Google says it’s unable to trust all certificates while ensuring that its users are protected.

“In subsequent Chrome releases, these exceptions will be reduced and ultimately removed, culminating in the full distrust of these CAs. This staged approach is solely to ensure sites have the opportunity to transition to other Certificate Authorities that are still trusted in Google Chrome, thus minimizing disruption to users of these sites,” Whalley explained.

Google warned that all WoSign and StartCom certificates will be immediately distrusted if the CAs try to bypass these controls.

StartCom and Qihoo 360, WoSign's largest shareholder, have attempted to convince browser vendors not to distrust their certificates. They promised to make StartCom a completely separate company and even made leadership changes. However, both Mozilla and Google felt that the management of these CAs had been deceptive and misleading.

Related: Google to Remove Symantec Root Certificate From Products

Related: Google Adds Certificate Transparency Log for Untrusted CAs

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.