Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Google Chrome Stops Accepting Certificates From 2 CAs

    By
    JAIKUMAR VIJAYAN
    -
    November 2, 2016
    Share
    Facebook
    Twitter
    Linkedin
      Google Chrome

      Tens of thousands of websites using digital certificates issued by two certificate authorities to verify their online identities have been affected by a Google decision this week to discontinue trusting those certificates because of concerns over their validity.

      In a blog post Oct. 31, Google said that its Chrome browser would stop trusting any certificate issued after Oct. 21 by Chinese certificate authority WoSign and Israel-based CA StartCom.

      Certificates issued by the two CAs before this date may continue to be trusted for a limited time, but only if the certificates comply with Google’s requirements for digital certificates in Chrome, or are being used by known customers of the CAs, the company said.

      Google is the third major browser maker to announce that it would no longer trust certificates from the two CAs. Apple and Mozilla announced similar decisions a few days ago.

      Andrew Whalley, a member of Google’s Chrome security team, said the company’s decision follows an investigation into WoSign and StarCom’s certificate issuance processes that it conducted along with Mozilla and members of the broader security community.

      “The investigation concluded that WoSign knowingly and intentionally mis-issued certificates in order to circumvent browser restrictions and CA requirements,” Whalley said in the blog post.

      The investigation also showed that WoSign had quietly acquired StartCom and replaced the latter’s infrastructure, policies and issuance systems with its own, without notifying the browser community of the development. Instead, executives from WoSign and StartCom actively tried to hide the relationship, Whalley said, without saying how that might have benefited either CA.

      In a blog post last month, Mozilla said the investigation showed WoSign intentionally backdated certain Secure Sockets Layer (SSL) certificates so it could continue issuing them even after Jan. 1, 2016—the deadline for CAs to stop issuing the certificates.

      Mozilla also noted the active efforts by executives from WoSign and StartCom to deny the relationship between the two companies until they were forced to acknowledge it when presented with evidence. “The levels of deception demonstrated by representatives of the combined company have led to Mozilla’s decision to distrust future certificates,” issued by the two companies, the blog posting noted.

      When a Chrome, Safari or Firefox user accesses a website that uses digital certificates issued by WoSign or StartCom, they will receive an alert saying the sites cannot be trusted or that their identities cannot be verified.

      Initially, Google Chrome 56 will only stop trusting WoSign and StartCom certificates issued after Oct. 21. But future versions of the browser will stop trusting certificates issued by the two companies entirely. The staged approach is designed to give websites using certificates from the two to move to other CAs, Whalley said.

      Arian Evans, vice president of product strategy at security firm RiskIQ, said the company’s global index shows that 762,649 websites currently use digital certificates from WoSign and StartCom.

      People visiting these websites will see a “Secure Connection Failed” browser warning, he said in a blog post this week.

      Sites that continue using inadmissible SSL certificates could be exposed to several security threats, including man-in-the-middle attacks, domain squatting and situations where visitors are redirected to phishing and other malicious sites, Evans said.

      In a statement posted on Oct. 24 and then updated Nov. 1 after Google’s decision, WoSign said it would continue to carry out a thorough investigation and internal audit on all its systems. The company claimed it would also build what it described as an internal standards research team to ensure that its operations confirm to international standards going forward. Employees will be required to work within those policies or face punishment, the statement claimed.

      “Although Mozilla’s sanctions are too severe … WoSign accept[s] it,” the statement said.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×