Sunday, January 28, 2018

WoSign certificates: What happens when Google Chrome removes trust?

The certificate authority WoSign and its subsidiary StartCom will no longer be trusted by Google with their Chrome 61 release. Over the past year, Google has slowly been phasing out trust for StartCom and WoSign certificates, and as of September 2017, trust has been completely removed.

As a certificate authority (CA), having the support of browsers is mandatory for your business to thrive, and without the support of Chrome and other browsers, WoSign is in danger.

Google Chrome isn't the only browser taking a stance against WoSign certificates, as other large web browsers have either depreciated support for them or are in the midst of removing them. The same goes for Microsoft, Mozilla and Apple in regards to taking action against WoSign for what's being called continued negligent security practices by the Chinese company. There is only one browser that's currently not taking action against WoSign, and that's Opera -- though it should also be noted that Opera was purchased last year by a Chinese investment consortium named Golden Brick Silk Road.

There are many reasons WoSign certificates are considered unsafe by the major web browsers. These issues include back-dating and SHA-1 certificates with long lives; identical certs, except for NotBefore; and certificates with duplicate serial numbers.

Google has gone back and forth with WoSign regarding these issues, and WoSign released a statement regarding how they're handling the situation.

As part of the process, Qihoo 360, a Chinese security technology company and majority owner of WoSign, agreed last year to replace WoSign CEO Richard Wang as a show of faith that they're looking to get a better understanding of the industry and regain trust from the large certificate authorities. It seems this wasn't done; WoSign still hasn't named a new CEO, and Wang has been working with the company in a different role in the business.

Also, WoSign said it recently passed a security assessment, and it is calling to remain a trusted CA. It's not likely that this will turn things around; it might be too little, too late for the Chinese CA.

WoSign has a free certificate authority and, due to this, there seems to be a large user base in China. If you're a customer of WoSign or StartCom, then it would be beneficial to replace your certificate with a provider that's fully trusted. If a switch is not made, issues with communication, VPNs or connecting to sites that are using these certificates on their web servers could occur.

Read the rest of the article here: http://searchsecurity.techtarget.com/answer/WoSign-certificates-What-happens-when-Google-Chrome-removes-trust

3 comments:

  1. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. This plan arrived at after tremendous debate at the discussion board might allow reasonable time for a transition to new independently-operated managed companion Infrastructure while Symantec modernizes and redesigns its Write My Homework For Me - Pro Homework Help infrastructure to stick to industry requirements. While awesome from a previous incident changed into part of a persevering with sample of issues over the past numerous years that has prompted the Chrome crew to lose self assurance inside the trustworthiness of Symantec’s infrastructure.

      Delete
  2. This article is really contains lot more information about This Topic. We have read your all the information some points are also good and some usually pay for assignment writing are awesome. Great post I would like to thank you for the efforts you have made in writing this interesting and knowledgeable article.

    ReplyDelete