Google takes another step forward in rooting out certificate authority (CA) malpractice. After a lengthy investigation into a series of questionable practices, Google announced in a group post that Chrome 61 will completely blacklist certificates issued by CAs WoSign and StartCom.
This radical action may leave some organizations scrambling to find and replace any certificates issued by the blacklisted CAs before they impede business processes or customer trust. The Google post recommends, “Sites still using StartCom or WoSign-issued certificates should consider replacing these certificates as a matter of urgency to minimize disruption for Chrome users."
Finally, the industry is waking up to the serious impact of betraying the trust that we all place in cryptographic keys and digital certificates. And Google is at the forefront of that movement. But they are not alone. Mozilla and Apple have both taken actions to distrust questionable certificate authorities, such as WoSign and its affiliate StartCom.
Early signs of suspicious behavior were discovered in August 2016 when Google caught WoSign issuing fake HTTPS certificates for GitHub domains. Later that year, Mozilla uncovered a number back-dated SHA-1 certificates among other questionable practices. By that point, Google, Mozilla and Apple had all begun the process of distrusting certificates issued by WoSign and StartCom.
According to ZDNet, the Chrome development team had previously “restricted trust through a whitelist of hostnames which are based on the Alexa Top one million sites, and this list has been pruned down over the course of Chrome releases.” With Chrome 61, that whitelist will be eliminated and all WoSign certificates will be blacklisted.
Here’s why the issue of the trustworthiness of certificate authorities is so important: If we can’t trust the keys and certificates that identify our machines, we can’t protect the machine-to-machine connections and communications that they enable. Consequently, if we can’t trust certificate authorities to maintain the highest standards of trust for keys and certificates, we can’t fully trust the machine identities that they control.
It’s reassuring that browser vendors are advocating this trust for the industry at large. But until there is a definitive standards board or other overarching way of mandating trust for keys and certificates, organizations should be prepared to take matters into their own hands to enforce rigorous security for certificates. That means that they will need to maintain their own systems that allow them to find and remove certificates quickly, no matter who issued or where they are on their networks.