As a punishment announced last October, Google did not trust the Chinese SSL certificate authorities and its subsidiary WoSign StartCom with the release of Chrome 61 for failing to maintain “high expected CA standards”.
The move came after Google was notified by the GitHub security team on August 17, 2016, the China Certification Authority WoSign had issued a GitHub Nameless certified user base for one of the GitHub domains without permission.
After this problem had been reported, Google conducted a public inquiry as a collaboration with Mozilla and the security community, who discovered many other cases where WoSign is issuing certificates.
As a result, last year’s giant technology began trusting WoSign and StartCom’s restriction on those released before October 21, 2016 and was removing white list names across several Chrome Chrome 56 versions.
Now in a Google Groups publication released on Thursday, Chrome security engineer Devon O’Brien, said the company will eventually delete the white list of your upcoming version of Chrome, fully confident certificates, and StartCom WoSign Existing.
“From Chrome 61, the white list will be eliminated, resulting in total suspicion of WoSign’s current StartCom Warehouse Certificates and [its subsidiary] and all issued certificates,” says O’Brien.
“Based on the Chrome development program, this change should be visible in the Chrome Dev channel over the next few weeks, the Chrome Beta channel around the end of July 2017 and released in the Stage in mid-September 2017.”
Last year, Apple and Mozilla also stopped relying on WoSign, and StartCom issued certifications for their web browsers due to its number of technical failures and management.
“More importantly, we found that they were upgrading Chinese SSL certificate to override security authorities to stop issuing Chinese SSL certificate (SHA-1 )for January 1, 2016,” said Kathleen Wilson, director of Mozilla’s rooted root program.
“In addition, Mozilla found that WoSign had acquired the full ownership of another subject called StartCom Certification and could not disclose this as required by Mozilla’s policy.”
Problems with the WoSign Certified Services from July 2015 and were reported to the public last year by Mozilla’s British programmer, Gervase Markham, in Mozilla’s mailing list security policies.
According to Markham, a researcher has casually found this unnamed security error when trying to obtain a certificate of ‘med.ucf.edu’ but also called ‘www.ucf.edu’ also and WoSign approved, giving the certificate for the domain Primary college.
To test the purpose, security researcher used this trick against Github-based domains (github.com and github.io), demonstrating its control over a subdomain.
And guess what? WoSign delivered the certificate for GitHub main domains, too.
From September 2017, visitors to sites via HTTPS WoSign or StartCom finally see trusted warnings in their web browsers.
Therefore, sites are still based on certificates issued by WoSign or StartCom are encouraged to consider replacing their chinese SSL certificate “urgently to minimize the disadvantages of Chrome users,” said O’Brien.