Google has finalized its plan to remove trust in Chrome for all certificates issued by Chines CA WoSign, a result of the certificate authority run afoul of the intricate rules that govern CAs.
As far back as 2015, officials began noticing certificates issued by WoSign that had one or more problems and violated rules established by the CA/Browser forum. In some cases, the certificates used the deprecated SHA-1 algorithm and had expiration dates that were too far in the future. The rules from the CA/Browser forum, which regulates some aspects of CA behavior, dictated that CAs shouldn’t issue any SHA-1 certificates with expiration dates after Jan. 1, 2017. Officials discovered a number of certificates from WoSign that used SHA-1 and had apparently been backdated and some others had expiration dates that were well into 2017.
Both Apple and Mozilla already have removed trust for WoSign certificates in their respective browsers.
Although no WoSign root is in the list of Apple trusted roots, this intermediate CA used cross-signed certificate relationships with StartCom and Comodo to establish trust on Apple products. In light of these findings, we are taking action to protect users in an upcoming security update. Apple products will no longer trust the WoSign CA Free SSL Certificate G2 intermediate CA,” Apple said in a statement in October.
Google announced last year that it would begin phasing out trust for WoSign certificates in future versions of Chrome and whitelisted some clean certificates. Now, that process is about to come to an end.
“We started the phase out in Chrome 56 by only trusting certificates issued prior to October 21st 2016, and subsequently restricted trust to a set of whitelisted hostnames based on the Alexa Top 1M. We have been reducing the size of the whitelist over the course of several Chrome releases,” Andrew Whalley and Devon O’Brien of the Chrome security team, said.
“Beginning with Chrome 61, the whitelist will be removed, resulting in full distrust of the existing WoSign and StartCom root certificates and all certificates they have issued.”
The current stable version of Chrome is 59 and Google expects Chrome 61 to be released in the middle of September.
