Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Chrome The Internet Communications Firefox Google Mozilla Network Security News Apple Technology

Google Joins Mozilla and Apple In Distrusting WoSign and StartCom Certificates (csoonline.com) 86

itwbennett quotes a report from CSO Online: Following similar decisions by Mozilla and Apple, Google plans to reject new digital certificates issued by certificate authorities WoSign and StartCom because they violated industry rules and best practices. The ban will go into effect in Chrome version 56, which is currently in the dev release channel, and will apply to all certificates issued by the two authorities after October 21. Browsers rely on digital certificates to verify the identity of websites and to establish encrypted connections with them. Certificates issued before October 21 will continue to be trusted as long as they're published to the public Certificate Transparency logs or have been issued to a limited set of domains owned by known WoSign and StartCom customers. "Due to a number of technical limitations and concerns, Google Chrome is unable to trust all pre-existing certificates while ensuring our users are sufficiently protected from further misissuance," said Chrome security team member Andrew Whalley in a blog post Monday. "As a result of these changes, customers of WoSign and StartCom may find their certificates no longer work in Chrome 56. Sites that find themselves on the whitelist will be able to request early removal once they've transitioned to new certificates," Whalley said. "Any attempt by WoSign or StartCom to circumvent these controls will result in immediate and complete removal of trust."
This discussion has been archived. No new comments can be posted.

Google Joins Mozilla and Apple In Distrusting WoSign and StartCom Certificates

Comments Filter:
  • by Anonymous Coward

    Yet Symantec continues to be trusted? Despite being caught issuing fake Google certs?
    https://www.eff.org/deeplinks/2015/09/symantec-issues-rogue-ev-certificate-googlecom

    And then there is BlueCoat, the certificate they issued them to let BlueCoat fake practically any certificate... but hey, it was for "security" right? So that BlueCoat could run anti-virus checks on encrypted data for companies, while somehow the company couldn't simply add BlueCoat to the trusted authorities list? And in no way was that cov

    • by lucm ( 889690 )

      And then there is BlueCoat, the certificate they issued them to let BlueCoat fake practically any certificate... but hey, it was for "security" right? So that BlueCoat could run anti-virus checks on encrypted data for companies, while somehow the company couldn't simply add BlueCoat to the trusted authorities list? And in no way was that cover for TLS interception by men in uniforms?

      At work they use a Bluecoat proxy. They configured that magnificent product to decrypt outgoing SSL on-the-fly and reencrypt it on the inside with fake SSL certificates. That way the "security" team can spy on encrypted traffic (such as my gmail password).

      In case you suspect your employer of doing the same thing, here's something I noticed. They apparently can't spoof issuers on the fly and there's too many of them to prepare in advance, so they use the same fake issuer for every single certificate. Corpora

    • Certificates expire for a very technical reason: they can be trusted because we assume the encryption on which they are based is unbreakable. However, given enough computational power you can break all certificates; they are unbreakable because we believe there is NOT enough computational power to break them. Since computational power available is increasing, certificates issued a few years ago are useless sequences of bits, even though they were very trustworthy at the time they were issued.
  • We have had Starcom certificates because they seem to be the only ones giving out free SSL certificates for websites.

    Is there someone else doing this for free? No, we really can't buy them in our country and current situation.

    • by Anonymous Coward

      maybe letsencrypt can help you.
      https://letsencrypt.org/

      • by jez9999 ( 618189 )

        Which sucks if you don't want to install their fucking software on your machine to update the certificate every 5 minutes because they refuse to issue annual ones.

    • Well there's also WoSign... OH WAIT.

      Nope, both of the sensible free options are killed now, everyone wanting free certs is being funneled into the Let's Encrypt bullshit.

  • This is terrible. Now there is only Let's Encrypt to get free SSL certs, which basically requires you to install their software on your machine to renew your certs because their expiry time is so ludicrously short.

    Fuck you Google (and fuck you Mozilla, Google's lapdogs). I personally can use Pale Moon, but there's nothing I can do about the hordes using Chrome. :-(

    • by AmiMoJo ( 196126 )

      What's the point of a free SSL cert if it can't be trusted? The whole point of having it is to establish trust that you are who you say you are.

      • by thebes ( 663586 )

        Correction: the free certs only vouch that you admin the domain name, nothing more. That is not the same as trusting an individual or organization

        • by jez9999 ( 618189 )

          Yeah but that's useful. I don't always need to "trust an individual or organization", sometimes I just want to be sure I'm really connecting to the proper server(s) for that domain.

      • by Anonymous Coward

        Trust and encryption should be two different things, however. I find it funny that people berate those using self-signed certs citing trust issues, but will happily browse non-https sites as if that's more trustworthy. I may be in the minority, but I'd rather see some form of self-signed certs be 'allowed' so that we can at least move to a more secure browsing experience. Yes, it's still up to the user to decide if the site is actually trustworthy but that's now really much different than it is now. However

    • Fuck you Google (and fuck you Mozilla, Google's lapdogs).

      You need to update your conspiracy theories. The paranoid series of twisted, ignorant logic that was once used to make this statement was utterly undermined when Mozilla stopped taking search referral money from Google.

      • by jez9999 ( 618189 )

        Get back to me on that when Mozilla shut up shop, and officially tell their users to just install Chrome. Probably when Firefox's market share is at 1 or 2 percent. I predict that's exactly what they'll do. They've been on that trajectory for years now.

  • Yeah right. Google feels fit to declare what sites you may and may not browse, but be assured that they will still crawl those sites and correlate any links, email addresses, phone numbers etc they find there.

    Google, the ultimate nanny state.
  • I currently use StartCom certificates for my personal web server and email server (no, not related to Hillary). But I also use their client certificates (S/MIME).

    I also use a backup MX service for my mail server, but recently that has changed hands and the price has started to go up.

    So it would be nice to find a one stop shop to fill these needs:
    1. Backup MX service (possibly with spam filtering service)
    2. SSL certificate for a single domain (no wildcards, single server name is

    • by heypete ( 60671 )

      I don't know of any one-stop-shop (certificate issuance and backup MX service are pretty orthogonal to each other), but there's plenty of CAs out there that will issue you certificates.

      This Comodo reseller [ssls.com] sells PositiveSSL certs for ~$5/year with a validity time up to 3 years. That's about as cheap as you can get. They also offer (for the next few weeks, at least) GeoTrust, Symantec, and Thawte certs, but the costs for those are higher and they'll stop selling them in December. Comodo offers free S/MIME ce [comodo.com]

All great discoveries are made by mistake. -- Young

Working...