Tens of thousands of websites using digital certificates issued by two certificate authorities to verify their online identities have been affected by a Google decision this week to discontinue trusting those certificates because of concerns over their validity.
In a blog post Oct. 31, Google said that its Chrome browser would stop trusting any certificate issued after Oct. 21 by Chinese certificate authority WoSign and Israel-based CA StartCom.
Certificates issued by the two CAs before this date may continue to be trusted for a limited time, but only if the certificates comply with Google’s requirements for digital certificates in Chrome, or are being used by known customers of the CAs, the company said.
Google is the third major browser maker to announce that it would no longer trust certificates from the two CAs. Apple and Mozilla announced similar decisions a few days ago.
Andrew Whalley, a member of Google’s Chrome security team, said the company’s decision follows an investigation into WoSign and StarCom’s certificate issuance processes that it conducted along with Mozilla and members of the broader security community.
“The investigation concluded that WoSign knowingly and intentionally mis-issued certificates in order to circumvent browser restrictions and CA requirements,” Whalley said in the blog post.
The investigation also showed that WoSign had quietly acquired StartCom and replaced the latter’s infrastructure, policies and issuance systems with its own, without notifying the browser community of the development. Instead, executives from WoSign and StartCom actively tried to hide the relationship, Whalley said, without saying how that might have benefited either CA.
In a blog post last month, Mozilla said the investigation showed WoSign intentionally backdated certain Secure Sockets Layer (SSL) certificates so it could continue issuing them even after Jan. 1, 2016—the deadline for CAs to stop issuing the certificates.
Mozilla also noted the active efforts by executives from WoSign and StartCom to deny the relationship between the two companies until they were forced to acknowledge it when presented with evidence. “The levels of deception demonstrated by representatives of the combined company have led to Mozilla’s decision to distrust future certificates,” issued by the two companies, the blog posting noted.
When a Chrome, Safari or Firefox user accesses a website that uses digital certificates issued by WoSign or StartCom, they will receive an alert saying the sites cannot be trusted or that their identities cannot be verified.
Initially, Google Chrome 56 will only stop trusting WoSign and StartCom certificates issued after Oct. 21. But future versions of the browser will stop trusting certificates issued by the two companies entirely. The staged approach is designed to give websites using certificates from the two to move to other CAs, Whalley said.
Arian Evans, vice president of product strategy at security firm RiskIQ, said the company’s global index shows that 762,649 websites currently use digital certificates from WoSign and StartCom.
People visiting these websites will see a “Secure Connection Failed” browser warning, he said in a blog post this week.
Sites that continue using inadmissible SSL certificates could be exposed to several security threats, including man-in-the-middle attacks, domain squatting and situations where visitors are redirected to phishing and other malicious sites, Evans said.
In a statement posted on Oct. 24 and then updated Nov. 1 after Google’s decision, WoSign said it would continue to carry out a thorough investigation and internal audit on all its systems. The company claimed it would also build what it described as an internal standards research team to ensure that its operations confirm to international standards going forward. Employees will be required to work within those policies or face punishment, the statement claimed.
“Although Mozilla’s sanctions are too severe … WoSign accept[s] it,” the statement said.