Google Chrome's HTTPS ban-hammer drops on WoSign, StartCom in two months Google in two months will conclude its prolonged excommunication of misbehaving SSL/TLS certificate authorities WoSign and subsidiary StartCom, a punishment announced last October. Chrome security engineer Devon O'Brien, in a Google Groups post on Thursday, said Google last year began limiting its trust of certificates backed …
My sentiments exactly. I used to love startcom, but I've been removing wosign and starcom certificates manually since this story originally broke out.
One thing - I'm sure I'm not the only one to ignore "this site is untrusted" messages on sites I don't deem important. They need another message for cases like this.
It's the difference between "untrusted" and "distrusted" - the former meaning no trust exists, the latter means trust explicitly revoked.
That's too subtle for a warning message, but something like "This is an evil fraudulent site and if you continue to view it, you'll probably crash the internet" ... or something!
Chinese pinyin for 'I' is 'wǒ'. Anybody remember if in the "product trademarking wars" Chinese companies simply tried working around the trademarks by using 'wophone', 'wopad', etc.? wophone.com seems null-terminated. (Mebbe Apple bought it?) wopad.com is for sale. wophone.net is too. Guess discerning customers wanted the "real thing" or not at all.
How long until some crank at the EU decides that Google is abusing it's position in the browser market by causing companies which behave unethically to be shut down (as its not likely startcom will survive this).
Obviously Google and the others are doing the correct thing here; but some EU idiot will decide to get a promotion by fining them billions again.
An no I didn't vote for brexit.
There will be certificate holders in the EU who have used those companies. And going by some of the rulings the EU's "experts of the interwebs" have made in the past; any lost traffic will be Google's fault "due to their abuse of a dominant position in blah blah blah".
Although I suppose any lost traffic to a site using one of those certs (a legit cert) would be the fault of Google (they blocked it); obviously the CA is to blame really for being an arse.
Bloody ages if the affected entities are not complying with obvious independently created security standards not just upsetting Google.
I agree, they're probably OK as it's not Google (alone) who've set the standard.
It does raise an interesting question though (albeit largely hypothetical). Google is currently at odds with the rest of the CAB Forum on the subject of certificate validity periods. They've just been reduced to around 2 years max, but Google wanted 13 months in their ballot (which got voted down).
It wasn't so much the period, as how quickly Google wanted to switch that the other members objected to AIUI.
So, if Google were to go it a alone, and simply distrust anything older than 13 months in Chrome, at what point would that be considered an abuse of domination, if at all?
They haven't actually shown any sign of intending to do that, and it'd be a bloody stupid thing for them to do (though if they did, it'd more or less force the industry to comply), but I thought it was an interesting thought exercise.
I got a response from support several weeks ago about this issue and how my secure sites to which I direct some of my customers were starting so show as insecure in Chrome. I was hoping this mess would be sorted by now, but apparently what I have to do is purchase a certificate which will have all of my certificates combined and signed by what is and will continue to be a trusted root, then they will re-issue all of my affected certificates once the root distrust issue is resolved.
Well, damn.
Initially I thought that maybe those words would only apply to non-Chinese country activities, but then I checked out this page and found that Google is 3/5ths the Chinese market in browser share.
There is a "local" browser version, Sogou explorer, which, of course, snoops on its users, but I would have thought Chinese users would have much more use for China-made browsers.
Instead, Google has that market pretty much sewn up as well. Sheesh.
So, what's Firefox/Mozilla gonna do now? Or even Micro-shaft? Also haven't heard anything regarding Opera or Safari. It's not like Google runs THOSE projects, but will they follow Google's example?
And I expect you could _STILL_ re-add the root certs for those CAs yourself, if you want them... (the same kind of process by which you'd add a self-signing CA or a "network appliance" CA)
Sheez, I don't know. If only there was clue in the article.
"Consequently, Apple, Mozilla, and Google announced plans to gradually stop trusting WoSign and StartCom certificates, in order to minimize disruptions to those with websites utilizing the condemned certs."
Seriously, can we have a RTFA icon?
Ask Jeeves? Dogpile? Stuff your newfangled search engines. I'm still using some guy's carefully-maintained list of useful and interesting pages on the world wide web.
You laugh, but 90s nostalgia is the new hot thing, and Google will soon feel the heat from upcoming Gen Z-ers rejecting them and going back to the old ways. You mark my words!!
Joking aside, I'm sure there are some would-be hipster ****s- the same ones using typewriters and shitty old bikes- doing this because they think it's cool^w^w^w^w insert rationalisation about how doing it this way helps you focus on important sites and think about what you're doing.
It also shows how small and manageable the web was in the early days that these sort of lists were not only A Thing, but taken seriouisly. You'd go back to the whole thing now and realise how primitive and limited it was, but it was pretty amazing at the time!
Yet both WoSign and StartCom still seem to be selling certs, if their sites are any indication. I am confused. Do they expect to somehow still turn this around? Are they just going to grab as much money as they still can before collapsing even if they know their certs are soon to be useless in Chrome (and already are in other browsers if I read stories about this right?)
I guess even in a "communist" country capitalism has the same perverse logic.
I've just noticed via the WoSign website that DigiCert's High Assurance Root has been used to sign an intermediate certificate for WoSign. I'm appalled DigiCert would negotiate with this company. Both WoSign and its newly-acquired StartCom (whom I routinely advised clients to have no dealings with) have proven time and time again that they are not worthy of trust.
Very disappointed as DigiCert is my preferred CA. Hopefully they'll be policing them heavily.
On most platforms, Chrome uses the operating system's certificate stores. If I tell my computer that I want to trust StartCom, why would Google countermand that and make browsing sites that use their certificates so highly inconvenient? Earlier this year, Google got into the CA business and StartCom and WoSign are now their competition. These companies are small compared to Symantec's CA which, through acquisition (VeriSign, Thawte, etc.), has issued certificates to almost 30% of the Web, and Google has already announced plans to deprecate trust in them, too. The antitrust sueballs are ready to be loaded into the trebuchet.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
