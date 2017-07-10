Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Google Guillotine Falls on Certificate Authorities WoSign, StartCom (zdnet.com) 23

Posted by msmash from the tightening-bolts dept.
Google has warned that all certificates issued by Chinese company WoSign and subsidiary StartCom will be distrusted with the release of Chrome 61. From a report: According to a Google Groups post published by Chrome security engineer Devon O'Brien, due to "several incidents" involving the certificate authority which has "not [been] in keeping with the high standards expected of CAs," Google Chrome has already begun phasing out WoSign and StartCom by only trusting certificates issued prior to October 21, 2016. The tech giant is soon to go further and will completely distrust any certificate issued by the companies within a matter of months. The Chrome development team have restricted trust through a whitelist of hostnames which are based on the Alexa Top one million sites, and this list has been pruned down over the course of Chrome releases. Once version 61 is ready for public release, this will fully distrust any existing WoSign and StartCom root certificates and all certificates they have issued.

  • I'm glad there are people willing to stand up to corporate misbehavior. Now if only we could get some better way of doing revocation checks.

    • It's called Let's Encrypt. Use it, love it. 90 Day certs, full automatic signing and updating. Built-in support in most distributions (even pfsense has a package now).

      If you are paying for anything other than an EV certificate you're an idiot.

      • Just a thumbs-up for Let's Encrypt. Fantastic service and super easy to set up and have it fully automated, so the short-lived certs are not an issue. It automatically takes care of itself if configured properly.

      • Re: (Score:2)

        by dgatwood ( 11270 )

        I use Let's Encrypt, too. HATE it.

        • It has to automatically update your web server configuration files because the maximum certificate validity period is too d**n short to manually update your server. (That was a show-stopper for me. I don't trust anybody modifying my insanely complex Apache config files, after several tools barfed horribly over the years.)
        • As a result of that flawed design decision, they also made the design decision to cut corners and run it as root by default. That was also a show-st

        • Re: (Score:2)

          by guruevi ( 827432 )

          Sorry, but you are an idiot. There are plenty of alternative clients for the ACME protocol, plenty of them run without root access. I have never needed to run as root and the LE client also doesn't modify my web server configs. All the client does is update the certificate every so often and then tests the configuration before deploying it. It took me all of ~10 lines to get it to work the way I want it.

          Your Apache scripts shouldn't be so complex that they become un-editable, do you even know what they do?

  • What's the motive for wosign? (Score:3)

    by interkin3tic ( 1469267 ) on Monday July 10, 2017 @06:04PM (#54781513)
    I don't know much about CAs. TFA says wosign issued bad certificates for github, and there were other issues. Is this incompetence or malice? Were they just overeager to sell certificates, are they catering to criminals, or is this likely to be some type of state-sponsored conspiracy to spy on secure websites?

  • Anyone else find it odd that the whitelist depends on the version? Like they hardcoded it?

