After Mozilla, Google also withdraws trust in WoSign and StartCom certificates

Google has announced that it no longer trusts the certificates issued by the certificate authorities WoSign and StartCom. Mozilla recently announced similar measures. This is due to various errors by the certificate authorities.

Google states that certificate authorities play an important role in internet security. WoSign and StartCom would not have met the high requirements that apply to such organizations. Therefore, Google no longer trusts the WoSign and StartCom certificates issued from October 21, in accordance with its root certificate policy. Certificates issued before that date will still enjoy the trust of Google as long as they meet the requirements of the CT policy. These changes will take effect with the release of Chrome 56, which is scheduled for January 2017.

Google says it wants to use a phased approach, in which some sites end up on a whitelist and can use the certificates for a while. Google wants to reduce the number of exceptions in new releases of the Chrome browser until the trust for all certificates from WoSign and StartCom is completely revoked. In this way, the company wants to prevent disruptions and give sites the opportunity to start using other certificates.

In its blog post, Google cites some errors by the certificate authorities that led to the current decision. This includes issuing a certificate for GitHub, without the organization’s consent. In addition, WoSign has acquired StartCom without mentioning it. When the takeover became known, the certificate authorities would have made an attempt to mislead the outside world. Mozilla itself compiled an extensive list of the problems surrounding WoSign and StartCom.

Mozilla recently announced that it was withdrawing confidence in the certificates issued by the authorities after an investigation. Apple also withdrew its confidence in the certificates.