The wheels of justice may turn slowly, but as Chinese certificate authority WoSign is discovering, they do grind...
Google Chrome security engineer Devon O'Brien announced the process of removing trust in certificates issued by the WoSign CA and its subsidiary StartCom will be complete with Chrome 61, which is planned for stable release in the middle of September.
"We started the phase out [sic] in Chrome 56 by only trusting certificates issued prior to October 21st, 2016, and subsequently restricted trust to a set of whitelisted hostnames based on the Alexa Top 1M. We have been reducing the size of the whitelist over the course of several Chrome releases," O'Brien wrote in a post to the Chromium development security forum. "Beginning with Chrome 61, the whitelist will be removed, resulting in full distrust of the existing WoSign and StartCom root certificates and all certificates they have issued."
Mozilla has already taken action to remove trust in WoSign and StartCom certificates as a consequence of WoSign's issuance of backdated SHA-1 SSL certificates to bypass the Jan. 1, 2016, deadline for issuing certificates that rely on the deprecated SHA-1 hashing algorithm, as well as WoSign's undisclosed acquisition of the Israeli CA StartCom.
"Sites still using StartCom or WoSign-issued certificates should consider replacing these certificates as a matter of urgency to minimize disruption for Chrome users," O'Brien wrote.
"Overall, the impact this news has on enterprises should be small; only customers who have been totally oblivious to Chrome's communications on this topic will be affected," Walter Goulet, senior digital trust researcher at Salt Lake City-based Venafi, told SearchSecurity via email. "WoSign [and] StartCom certificates have been gradually deprecated for quite some time in Chrome; certificates issued prior to Oct. 21, 2016, have [been] marked as untrusted by Chrome ever since August of last year."
"What is changing now is that the whitelist and the logic to determine whether or not to trust a WoSign [or] StartCom certificate is being removed from the Chrome browser. This means all certificates issued by those CAs are now untrusted."
Seeking a return to trust, WoSign CA passes audit and seeks CEO
Meanwhile, Danny Wu, compliance coordinator at WoSign, reported that WoSign CA had successfully undergone a security audit, which was one of the requirements for the sanctioned CA to regain trust from the browser community.
However, in the follow-up discussion on the Mozilla developer security policy forum, it became clear that WoSign CA had yet to replace former CEO Richard Wang, one of the conditions set for WoSign to regain trust from Mozilla. Wang announced he would step down as WoSign CEO in October 2016, but he has continued calling the shots as COO at WoSign while seeking a new CEO over the past nine months.
Wang wrote on the forum, "CEO is still N/A, if anyone is interesting in the CEO position, please send your résumé to Mr. [Xiaosheng] Tan." Tan is vice president at Qihoo 360, the Chinese company that owns WoSign and StartCom.
Follow the timeline for Symantec's certificate authority problems.
Read about Mozilla's deprecation of SHA-1 certificates.
Learn about certificate authority risks and how to manage them.