Google stopped trusting WoSign's SSL certificate and StartCom

This move was made after a GitHub security group informed Google in August 17, 2016 that Chinese Certificte Authority WoSign provided basic authentication for one of GitHub's domains with an unidentified GitHub username. determined without authenticity.

1. What is SSL? Is SSL important to the website?

After WoSign was reported, Google conducted a public investigation together with Mozilla and the security community, which discovered some other cases that WoSign also issued incorrect authentication.

As a result, at the end of last year, the technology giant limited the certificates issued by WoSign and StartCom before October 21, 2016, and removed the white list hostname gradually following the releases since Chrome. 56.

Google stopped trusting WoSign's SSL certificate and StartCom Picture 1
Google stopped trusting WoSign's certification and StartCom

In the Google Groups post on Thursday, Chrome security engineer Devon O'Brien said that the company eventually removed the whitelist from Chrome's upcoming release, completely losing confidence in the testimonials. at WoSign and StartCom.

'Since Chrome 61, the white list will be removed, no longer trusting WoSign's current testimonials and (its affiliates) StartCom and all the certificates they have issued,' O'Brien said. . 'Based on Chromium Development Calendar, this change will be visible on Chrome Dev channels in the coming weeks, Chrome Beta will be available from the end of July 2017 and will be released Stable around mid-September 2017.'.

Last year, Apple and Mozilla also stopped trusting the certificates issued by WoSIgn and StartCom on their browsers due to excessive technical and management errors.

'Most importantly, we found they rewritten the date on SSL authentication to pass the time the VA stopped SHA-1 SSL was released on January 1, 2016,' Kathleen Wilson, the Trusted Root Program Manager of Mozilla said. 'In addition, Mozilla also discovered that WoSign took over ownership of another CA named StartCom and did not announce it, according to Mozilla's policy requirements.'

WoSign's authentication issue began in July 2015 and was officially released last year by British Mozilla programmer Gervase Markham on Mozilla's list of security policies.

Google stopped trusting WoSign's SSL certificate and StartCom Picture 2
The reason is due to security mistakes when the company grants authentication

According to Markham, a security researcher accidentally discovered this security mistake when getting a certificate for med.ucf.edu but submitted it to www.ucf.edu and WoSign approved it, turning it into authentication for the main domain of the school. To test, this researcher used this trick for GitHub's base domain (github.com and github.io) by demonstrating sub-domain control. Surprisingly, WoSign then issued a certificate to the entire GitHub main domain.

From September 2017, when accessing websites using WoSign and StartCom HTTPS certificates, a warning will be displayed on the browser. So these sites are advised to replace authentication 'to quickly minimize errors for Chrome users,' O'Brien said.