Chinese SSL CAs WoSign and StartCom Banned by Google Chrome

Google Chrome no longer trusts SSL/TLS certificates from Chinese Certificate Authorities CA WoSign and StartCom.

WoSign and StartCom will be banned on versions of Chrome 61 and later. The decision to ban them, however, came earlier. In October of last year, Google announced that they would no longer trust certificates from WoSign after being notified by GitHub that WoSign was issuing certificates without authorization.

Why are the certificates unsafe?

In August, GitHub’s security team notified Google that WoSign had issued a base certificate for one of GitHub’s domains without authorization. Google conducted a public investigation, partnering with Mozilla and the security community at large. The investigation revealed that WoSign was responsible for many other unauthorized certificates. After this discovery, Google limited its trust of certificates issued by WoSign and its subsidiary, StartCom.

In a blog post from October 31, 2016, Google declared, “Google has determined that two CAs, WoSign and StartCom, have not maintained the high standards expected of CAs and will no longer be trusted by Google Chrome, in accordance with our Root Certificate Policy.”

The blog further said, “Beginning with Chrome 56, certificates issued by WoSign and StartCom after October 21, 2016 00:00:00 UTC will not be trusted. Certificates issued before this date may continue to be trusted, for a time, if they comply with the Certificate Transparency in Chrome policy or are issued to a limited set of domains known to be customers of WoSign and StartCom.”

What happens now?

Google also announced its intentions eventually to fully distrust these CAs.“In subsequent Chrome releases, these exceptions will be reduced and ultimately removed, culminating in the full distrust of these CAs. This staged approach is solely to ensure sites have the opportunity to transition to other Certificate Authorities that are still trusted in Google Chrome, thus minimizing disruption to users of these sites.”

Now, in a Google Groups post titled “Final removal of trust in WoSign and StartCom Certificates,” dated July 7, 2017, Chrome Security Engineer Devon O’Brien says, “As previously announced, Chrome has been in the process of removing trust from certificates issued by the CA WoSign and its subsidiary StartCom, as a result of several incidents not in keeping with the high standards expected of CAs…We started the phase out in Chrome 56 by only trusting certificates issued prior to October 21st 2016, and subsequently restricted trust to a set of whitelisted hostnames based on the Alexa Top 1M. We have been reducing the size of the whitelist over the course of several Chrome releases…Beginning with Chrome 61, the whitelist will be removed, resulting in full distrust of the existing WoSign and StartCom root certificates and all certificates they have issued.”

Towards the end of 2016, both Apple and Mozilla also stopped trusting WoSign and StartCom certificates.