Google to Distrust WoSign/StartCom Certificates

Google to Distrust WoSign/StartCom Certificates

Google has joined Mozilla and Apple and will distrust WoSign and StartCom certificates beginning in 2017. That leaves Microsoft as the only major browser holdout.

Tens of thousands of desktops, laptops, servers, appliances and apps running in the cloud for businesses and government agencies trust WoSign and StartCom, certificate authorities (CAs) that up until recently played a key role in web security by issuing digital certificates to website operators. These certificates are trusted by browsers to authenticate secure connections to websites.

But on August 17, Google was notified by GitHub's security team that WoSign had issued a certificate for one of GitHub's domains without its authorization. This prompted an investigation, conducted in public as a collaboration with Mozilla and the security community, which found a number of other cases of WoSign mis-issuance.

The investigation concluded that WoSign knowingly and intentionally mis-issued certificates in order to circumvent browser restrictions and CA requirements.

"WoSign and StartCom, their secretly acquired subsidiary, have made a mockery of the global system of trust that runs e-commerce and allows us to safely run downloaded apps on our computers,” said Kevin Bocek, vice president of Security Strategy and Threat Intelligence for Venafi, in an email. “It's encouraging to see Google join Apple and Mozilla in taking the right steps to obliterate WoSign and StartCom as being trusted in browsers. Microsoft must do the same. Inaction is unconscionable.”

Further, StartCom, another CA, had been purchased by WoSign, and had replaced infrastructure, staff, policies and issuance systems with WoSign's. However, when pressed, neither company would be transparent about their relationship.

“Google has determined that two CAs, WoSign and StartCom, have not maintained the high standards expected of CAs and will no longer be trusted by Google Chrome, in accordance with our Root Certificate Policy,” said Andrew Whalley of Chrome Security, in a post. “CAs who issue certificates outside the policies required by browsers and industry bodies can put the security and privacy of every web user at risk.”

Google is taking a phased approach to distrust: Beginning with Chrome 56, certificates issued by WoSign and StartCom after October 21 will not be trusted. In subsequent Chrome releases, pre-existing certificates will be phased out, culminating in the full distrust of these CAs.

Enterprises will need to take action too. Bocek added, “Organizations need to follow the guidance of NIST and others to automate their response to eliminate obliterate unneeded and unnecessary CAs from their systems. Most businesses and governments don’t know what certificates they use and what CAs they trust. The status quo leaves businesses with an unacceptable level of risk.”

Photo © Denis Linine/

Source: Information Security Magazine