When the misbehavior of WoSign and StartCom was discovered this summer, Mozilla was quick to create a plan for punishing the rogue certificate authorities. Last week, the nonprofit organization behind the popular Firefox web browser published a list of actions it’s going to take against the two CAs, and now Google is doing the same by announcing that it’s going to distrust WoSign and StartCom certificates issued on October 21 or later.
WoSign Misbehaves, Mozilla And Apple React
Earlier this year, WoSign, a Chinese certificate authority, was found to backdate SHA-1 certificates to work around the new policy for certificate authorities to stop issuing those certificates after January 1, 2016. WoSign also failed to disclose that it acquired a popular certificate authority, StartCom, which replaced its certificate infrastructure with WoSign's. Mozilla took issue with this because it requires CAs to disclose such information.
Apple was also quick to act against WoSign. It announced on September 30 that it would block new intermediate certificates (opens in new tab) from the CA in security updates for iOS and macOS. To avoid disrupting the service of existing certificate holders, the company said that only certificates that had a Certificate Transparency log by 09-19-2016 would be accepted. It also said that all certificates would eventually be blocked after WoSign transitions to new, trusted root certificates, and reserved the right to block existing certificates or take further action if necessary.
Google, Next To Take Action Against WoSign
Google has been collaborating with Mozilla on the WoSign investigation, which recently finished, but it didn't reveal its plan for responding to the rogue certificate authority until now. It looks like the company is ready to take similar actions to Mozilla and Apple.
Starting with version 56 of Chrome, Google will not trust any new WoSign or StartCom certificates issued on October 21 or later. Existing certificates will continue to be trusted if they comply with Certificate Transparency policies, or are issued to a limited number of known WoSign and StartCom customers. Due to some technical limitations, Google said that some existing certificates may also stop working in Chrome 56, if it’s necessary to ensure users are sufficiently protected.
Future Chrome releases will distrust all certificates. This staged response is meant to minimize disruption by giving sites an opportunity to transition to new CAs. Google, like Mozilla, said any attempt to bypass these controls will result in an immediate ban of all WoSign and StartCom certificates.
Mozilla, Apple, and Google have all published their plans to punish WoSign and StartCom for their misbehavior. Microsoft and Opera, which was recently acquired by a Chinese company, are the last two major browser vendors that haven’t revealed anything about how they intend to handle the rogue CAs.