WoSign certificates: What happens when Google Chrome removes trust?

Google Chrome has started removing trust in certificates issued by WoSign. Matthew Pascucci explains this decision and what it means for companies using WoSign certificates.

Google Chrome removed trust in the certificate authority WoSign in September. What is behind this move, and what does it mean for companies using WoSign certificates?

The certificate authority WoSign and its subsidiary StartCom will no longer be trusted by Google with their Chrome 61 release. Over the past year, Google has slowly been phasing out trust for StartCom and WoSign certificates, and as of September 2017, trust has been completely removed.

As a certificate authority (CA), having the support of browsers is mandatory for your business to thrive, and without the support of Chrome and other browsers, WoSign is in danger.

Google Chrome isn't the only browser taking a stance against WoSign certificates, as other large web browsers have either depreciated support for them or are in the midst of removing them. The same goes for Microsoft, Mozilla and Apple in regards to taking action against WoSign for what's being called continued negligent security practices by the Chinese company. There is only one browser that's currently not taking action against WoSign, and that's Opera -- though it should also be noted that Opera was purchased last year by a Chinese investment consortium named Golden Brick Silk Road.

There are many reasons WoSign certificates are considered unsafe by the major web browsers. These issues include back-dating and SHA-1 certificates with long lives; identical certs, except for NotBefore; and certificates with duplicate serial numbers.

Google has gone back and forth with WoSign regarding these issues, and WoSign released a statement regarding how they're handling the situation.

As part of the process, Qihoo 360, a Chinese security technology company and majority owner of WoSign, agreed last year to replace WoSign CEO Richard Wang as a show of faith that they're looking to get a better understanding of the industry and regain trust from the large certificate authorities. It seems this wasn't done; WoSign still hasn't named a new CEO, and Wang has been working with the company in a different role in the business.

Also, WoSign said it recently passed a security assessment, and it is calling to remain a trusted CA. It's not likely that this will turn things around; it might be too little, too late for the Chinese CA.

WoSign has a free certificate authority and, due to this, there seems to be a large user base in China. If you're a customer of WoSign or StartCom, then it would be beneficial to replace your certificate with a provider that's fully trusted. If a switch is not made, issues with communication, VPNs or connecting to sites that are using these certificates on their web servers could occur.

The distrust for WoSign is nothing new, as the major browsers have slowly moved away from it; many sites might already be seeing effects, and have hopefully moved on to a new provider. If not, I'd highly recommend that you do so soon.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn more about Mozilla dropping WoSign certificates

Find out about the dangers of invalid web certificates

Read more on web certificate risks and how to manage them

This was last published in October 2017

Dig Deeper on Identity and access management