Skip to main content
banner image
venafi logo

Cutting to the Root: Google to Completely Blacklist WoSign and StartCom

Cutting to the Root: Google to Completely Blacklist WoSign and StartCom

July 10, 2017 | Scott Carter

Google takes another step forward in rooting out certificate authority (CA) malpractice. After a lengthy investigation into a series of questionable practices, Google announced in a group post that Chrome 61 will completely blacklist certificates issued by CAs WoSign and StartCom.

This radical action may leave some organizations scrambling to find and replace any certificates issued by the blacklisted CAs before they impede business processes or customer trust. The Google post recommends, “Sites still using StartCom or WoSign-issued certificates should consider replacing these certificates as a matter of urgency to minimize disruption for Chrome users."

Finally, the industry is waking up to the serious impact of betraying the trust that we all place in cryptographic keys and digital certificates. And Google is at the forefront of that movement. But they are not alone. Mozilla and Apple have both taken actions to distrust questionable certificate authorities, such as WoSign and its affiliate StartCom.

Early signs of suspicious behavior were discovered in August 2016 when Google caught WoSign issuing fake HTTPS certificates for GitHub domains. Later that year, Mozilla uncovered a number back-dated SHA-1 certificates among other questionable practices. By that point, Google, Mozilla and Apple had all begun the process of distrusting certificates issued by WoSign and StartCom.

According to ZDNet, the Chrome development team had previously “restricted trust through a whitelist of hostnames which are based on the Alexa Top one million sites, and this list has been pruned down over the course of Chrome releases.” With Chrome 61, that whitelist will be eliminated and all WoSign certificates will be blacklisted.

Here’s why the issue of the trustworthiness of certificate authorities is so important: If we can’t trust the keys and certificates that identify our machines, we can’t protect the machine-to-machine connections and communications that they enable. Consequently, if we can’t trust certificate authorities to maintain the highest standards of trust for keys and certificates, we can’t fully trust the machine identities that they control.

It’s reassuring that browser vendors are advocating this trust for the industry at large. But until there is a definitive standards board or other overarching way of mandating trust for keys and certificates, organizations should be prepared to take matters into their own hands to enforce rigorous security for certificates. That means that they will need to maintain their own systems that allow them to find and remove certificates quickly, no matter who issued or where they are on their networks.

How do you know when it’s critical to switch CAs? Venafi Senior Director Global Solution Engineering, Mike Dodson shares why it’s important to determine your own levels of trust for certificate authorities and why you should be prepared to move quickly when you need to.

Like this blog? We think you will love this.
compromised android platform certificate
Featured Blog

Compromised Platform Certificates Used to Sign Android Malware for Samsung, LG and Others

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more