Google Joins Mozilla and Apple In Distrusting WoSign and StartCom Certificates

itwbennett quotes a report from CSO Online: Following similar decisions by Mozilla and Apple, Google plans to reject new digital certificates issued by certificate authorities WoSign and StartCom because they violated industry rules and best practices. The ban will go into effect in Chrome version 56, which is currently in the dev release channel, and will apply to all certificates issued by the two authorities after October 21. Browsers rely on digital certificates to verify the identity of websites and to establish encrypted connections with them. Certificates issued before October 21 will continue to be trusted as long as they're published to the public Certificate Transparency logs or have been issued to a limited set of domains owned by known WoSign and StartCom customers. "Due to a number of technical limitations and concerns, Google Chrome is unable to trust all pre-existing certificates while ensuring our users are sufficiently protected from further misissuance," said Chrome security team member Andrew Whalley in a blog post Monday. "As a result of these changes, customers of WoSign and StartCom may find their certificates no longer work in Chrome 56. Sites that find themselves on the whitelist will be able to request early removal once they've transitioned to new certificates," Whalley said. "Any attempt by WoSign or StartCom to circumvent these controls will result in immediate and complete removal of trust."

Re:pre-existing

[guruevi]

It's complicated. They're basically whitelisting all StartCom certificates before a certain issue date. However, WoSign silently took over StartCom and started sharing infrastructure and keys for about a year. When Mozilla investigated them for backdating weak certificates, they split up the operations again trying to 'fix' the situation and fired WoSign's CEO.

Since they were sharing infrastructure for about a year and it's not sure how many certificates were backdated a browser can't be sure when WoSign's key(s) and StartCom's key(s) were used to sign the certificate and whether or not it was backdated.

So they can't "trust all pre-existing certificates" but they can trust certain ones (the ones they are sure were definitely issued and signed by StartCom before they were taken over).