Google, Firefox and Apple Distrust WoSign and StartCom Certificates in 2017

Time to switch if you use a StartCom (StartSSL) or WoSign certificate!

Mozilla announced on 24 Oct 2016 that beginning with Firefox 51, certificates issued by WoSign and StartCom will be distrusted.

Google Also announced on 31 Oct 2016 that beginning with Chrome 56 in January 2017 Chrome will distrust certificates issued by certificate authorities – WoSign and StartCom who cannot adhere to standards expected of certificate authorities.

Both companies have publicly blamed WoSign knowingly and intentionally misissued certificates in order to circumvent browser restrictions and CA requirements, they also blamed WoSign’s acquisition of StartCom, WoSign and StartCom management actively attempted to mislead the browser community about the acquisition and the relationship of these two companies.

The most terrible is WoSign’s misissuance. GitHub’s security team notified Google on 17 Aug 2016 that WoSign had issued a certificate for one of GitHub’s domains without their authorization. Google collaborated with Mozilla and the security community which found many similar cases

Mozilla in particular released a 13 pages report explaining serious problem made by WoSign and StartCom. Mozilla discovered that WoSign were backdating SSL certificates in order to circumvent the deadline that CAs stop issuing SHA-1 SSL certificates by 1 Jan 2016.

Google said beginning with Chrome 56 it will distrust WoSign and StartCom certs after 21 Oct 2016. Certificates issued before this date may continue to be trusted if they comply with the Certificate Transparency in Chrome policy.

Apple announced it would block certificates issued by WoSign CA Free SSL Certificate G2 intermediate CA.

When we talk about SSL certificates, security and safety are the most important things. Buying SSL certificates from a certificate authority (CA) that does not comply with international standards, or using free SSL is not a good option. It will not only put your site and customer data in a dangerous location, more likely to cause your site showing security error and scare away your customers.

Referece:
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
https://support.apple.com/en-us/HT204132