Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Guillotine Falls on Certificate Authorities WoSign, StartCom (zdnet.com)

Posted by msmash on from the tightening-bolts dept.

Google has warned that all certificates issued by Chinese company WoSign and subsidiary StartCom will be distrusted with the release of Chrome 61. From a report: According to a Google Groups post published by Chrome security engineer Devon O'Brien, due to "several incidents" involving the certificate authority which has "not [been] in keeping with the high standards expected of CAs," Google Chrome has already begun phasing out WoSign and StartCom by only trusting certificates issued prior to October 21, 2016. The tech giant is soon to go further and will completely distrust any certificate issued by the companies within a matter of months. The Chrome development team have restricted trust through a whitelist of hostnames which are based on the Alexa Top one million sites, and this list has been pruned down over the course of Chrome releases. Once version 61 is ready for public release, this will fully distrust any existing WoSign and StartCom root certificates and all certificates they have issued.

1 of 57 comments (clear)

  1. Re:Goodbye by Anonymous Coward · · Score: 2, Insightful

    Your position is actually a very reasonable. You don't know any of the certificate issuers. It is impossible for you to fully trust any of them. At most, you have some "policy" that supposedly tells you what some faceless corporation is doing.

    Fortunately, people implemented solutions to this problem about a quarter century ago. "Moderately trust" your CAs. And if an identity is signed by (say) three moderately-trusted CAs then you consider it fairly trustworthy. You could even work in scoring rules for whether or not the CAs are jurisdictionally diverse enough. (e.g. If a Chinese signer and a US government signer and a French signer all agree, then either it's correct, or you are up against a conspiracy so massive that you'd never beat it anyway.)

    What's the probability that someone is up to something naughty? Some fraction. Now raise that fraction to some more-than-1 power, say the third power. That's how trickable you'd be, if we used modern PK tech, like what PGP has.