Google’s upcoming release Google 61 browser is expected to untrust two of Chinese SSL providers “WoSign and StartCom” due to not maintaining the expected highg stadards of CAs. As a result, issues certificates from both CAs will no longer be trusted by Google Chrome, in accordance with our Root Certificate Policy. This is inline with recent similar annoucements issued by both Apple and Mozilla to also distrust certificates for both CAs.
According to report from Whalley:
“The investigation concluded that WoSign knowingly and intentionally misissued certificates in order to circumvent browser restrictions and CA requirements. Further, it determined that StartCom, another CA, had been purchased by WoSign, and had replaced infrastructure, staff, policies, and issuance systems with WoSign’s.
When presented with this evidence, WoSign and StartCom management actively attempted to mislead the browser community about the acquisition and the relationship of these two companies. For both CAs, we have concluded there is a pattern of issues and incidents that indicate an approach to security that is not in concordance with the responsibilities of a publicly trusted CA.”
What this implies now is beginning with Google Chrome 56, all issued certificates from both WoSign and StartCom after October 21, 2016 00:00:00 UTC will no longer be trusted. So for exisitng customers using these certifices, certificates issued before this date may continue to be trusted, for a time, if they both certs comply with the Certificate Transparency in Chrome policy or are issued to a limited set of domains known to be customers of WoSign and StartCom.