Google Follows Mozilla And Apple In Blocking New WoSign And StartCom Certificates

When the misbehavior of WoSign and StartCom was discovered this summer, Mozilla was quick to create a plan for punishing the rogue certificate authorities. Last week, the nonprofit organization behind the popular Firefox web browser published a list of actions it’s going to take against the two CAs, and now Google is doing the same by announcing that it’s going to distrust WoSign and StartCom certificates issued on October 21 or later.

WoSign Misbehaves, Mozilla And Apple React

Earlier this year, WoSign, a Chinese certificate authority, was found to backdate SHA-1 certificates to work around the new policy for certificate authorities to stop issuing those certificates after January 1, 2016. WoSign also failed to disclose that it acquired a popular certificate authority, StartCom, which replaced its certificate infrastructure with WoSign's. Mozilla took issue with this because it requires CAs to disclose such information.

Apple was also quick to act against WoSign. It announced on September 30 that it would block new intermediate certificates from the CA in security updates for iOS and macOS. To avoid disrupting the service of existing certificate holders, the company said that only certificates that had a Certificate Transparency log by 09-19-2016 would be accepted. It also said that all certificates would eventually be blocked after WoSign transitions to new, trusted root certificates, and reserved the right to block existing certificates or take further action if necessary.

Google, Next To Take Action Against WoSign

Google has been collaborating with Mozilla on the WoSign investigation, which recently finished, but it didn't reveal its plan for responding to the rogue certificate authority until now. It looks like the company is ready to take similar actions to Mozilla and Apple.

Starting with version 56 of Chrome, Google will not trust any new WoSign or StartCom certificates issued on October 21 or later. Existing certificates will continue to be trusted if they comply with Certificate Transparency policies, or are issued to a limited number of known WoSign and StartCom customers. Due to some technical limitations, Google said that some existing certificates may also stop working in Chrome 56, if it’s necessary to ensure users are sufficiently protected.

Future Chrome releases will distrust all certificates. This staged response is meant to minimize disruption by giving sites an opportunity to transition to new CAs. Google, like Mozilla, said any attempt to bypass these controls will result in an immediate ban of all WoSign and StartCom certificates.

Mozilla, Apple, and Google have all published their plans to punish WoSign and StartCom for their misbehavior. Microsoft and Opera, which was recently acquired by a Chinese company, are the last two major browser vendors that haven’t revealed anything about how they intend to handle the rogue CAs.

This thread is closed for comments
5 comments
    Your comment
  • Christopher1
    With all due respect Mozilla, Google and Apple need to back down on this. There is nothing 'shady' about what these companies are doing in the slightest it is standard operating procedure at a lot of CA's.

    Opera is right to stand above the fray and say "While you may dislike what these people are doing you do not have any right to tell them they cannot do this because it does not harm users of browsers or leave them open to attacks!"

    Mozilla, Google and Apple are bucking for a lawsuit against them and it is one that I personally believe they will lose and lose big!
  • Kewlx25
    @CHRISTOPHER
    You mean handing out fraudulent certificates to people who don't own the domains? Nothing wrong with fraud.
  • caustin582
    75395 said:
    With all due respect Mozilla, Google and Apple need to back down on this. There is nothing 'shady' about what these companies are doing in the slightest it is standard operating procedure at a lot of CA's. Opera is right to stand above the fray and say "While you may dislike what these people are doing you do not have any right to tell them they cannot do this because it does not harm users of browsers or leave them open to attacks!" Mozilla, Google and Apple are bucking for a lawsuit against them and it is one that I personally believe they will lose and lose big!


    I'm really confused by this comment. The logic is so backwards that it reads like paid propaganda. WoSign's actions undermined the very purpose of having certificate authorities in the first place. Firefox, Apple, and Google are completely correct to reject them, and in doing so are working in the best interest of their users.

    Additionally, no they are not setting themselves up for a lawsuit because there is nothing remotely unlawful about what they are doing.

    AND no, they are not telling anyone what they cannot do. They are modifying their own software as they see fit. WoSign is free to continue issuing fraudulent certificates if they wish. Claiming that Firefox/Apple/Google are not allowed to exclude fraudulent CAs from their browsers would be an example of telling a company that they cannot do something.