Skip to main content
banner image
venafi logo

Cutting to the Root: Google to Completely Blacklist WoSign and StartCom

Cutting to the Root: Google to Completely Blacklist WoSign and StartCom

July 10, 2017 | Scott Carter

Google takes another step forward in rooting out certificate authority (CA) malpractice. After a lengthy investigation into a series of questionable practices, Google announced in a group post that Chrome 61 will completely blacklist certificates issued by CAs WoSign and StartCom.

This radical action may leave some organizations scrambling to find and replace any certificates issued by the blacklisted CAs before they impede business processes or customer trust. The Google post recommends, “Sites still using StartCom or WoSign-issued certificates should consider replacing these certificates as a matter of urgency to minimize disruption for Chrome users."

Finally, the industry is waking up to the serious impact of betraying the trust that we all place in cryptographic keys and digital certificates. And Google is at the forefront of that movement. But they are not alone. Mozilla and Apple have both taken actions to distrust questionable certificate authorities, such as WoSign and its affiliate StartCom.

Early signs of suspicious behavior were discovered in August 2016 when Google caught WoSign issuing fake HTTPS certificates for GitHub domains. Later that year, Mozilla uncovered a number back-dated SHA-1 certificates among other questionable practices. By that point, Google, Mozilla and Apple had all begun the process of distrusting certificates issued by WoSign and StartCom.

According to ZDNet, the Chrome development team had previously “restricted trust through a whitelist of hostnames which are based on the Alexa Top one million sites, and this list has been pruned down over the course of Chrome releases.” With Chrome 61, that whitelist will be eliminated and all WoSign certificates will be blacklisted.

Here’s why the issue of the trustworthiness of certificate authorities is so important: If we can’t trust the keys and certificates that identify our machines, we can’t protect the machine-to-machine connections and communications that they enable. Consequently, if we can’t trust certificate authorities to maintain the highest standards of trust for keys and certificates, we can’t fully trust the machine identities that they control.

It’s reassuring that browser vendors are advocating this trust for the industry at large. But until there is a definitive standards board or other overarching way of mandating trust for keys and certificates, organizations should be prepared to take matters into their own hands to enforce rigorous security for certificates. That means that they will need to maintain their own systems that allow them to find and remove certificates quickly, no matter who issued or where they are on their networks.

How do you know when it’s critical to switch CAs? Venafi Senior Director Global Solution Engineering, Mike Dodson shares why it’s important to determine your own levels of trust for certificate authorities and why you should be prepared to move quickly when you need to.

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Prepare this presentation and send it to me, once approved you can teach entire team.

Overheard at Machine Identity Protection Global Summit 2019

machine identity protection

Leaders Underscore the Critical Nature of Machine Identity Protection at Inaugural Global Summit

About the author

Scott Carter
Scott Carter

Scott Carter writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat