Google Guillotine Falls on Certificate Authorities WoSign, StartCom (zdnet.com) 23
Google has warned that all certificates issued by Chinese company WoSign and subsidiary StartCom will be distrusted with the release of Chrome 61. From a report: According to a Google Groups post published by Chrome security engineer Devon O'Brien, due to "several incidents" involving the certificate authority which has "not [been] in keeping with the high standards expected of CAs," Google Chrome has already begun phasing out WoSign and StartCom by only trusting certificates issued prior to October 21, 2016. The tech giant is soon to go further and will completely distrust any certificate issued by the companies within a matter of months. The Chrome development team have restricted trust through a whitelist of hostnames which are based on the Alexa Top one million sites, and this list has been pruned down over the course of Chrome releases. Once version 61 is ready for public release, this will fully distrust any existing WoSign and StartCom root certificates and all certificates they have issued.
Good (Score:2)
I'm glad there are people willing to stand up to corporate misbehavior. Now if only we could get some better way of doing revocation checks.
Re: (Score:2)
It's called Let's Encrypt. Use it, love it. 90 Day certs, full automatic signing and updating. Built-in support in most distributions (even pfsense has a package now).
If you are paying for anything other than an EV certificate you're an idiot.
Re: (Score:2)
Just a thumbs-up for Let's Encrypt. Fantastic service and super easy to set up and have it fully automated, so the short-lived certs are not an issue. It automatically takes care of itself if configured properly.
Re: (Score:2)
I use Let's Encrypt, too. HATE it.
Re: (Score:2)
Sorry, but you are an idiot. There are plenty of alternative clients for the ACME protocol, plenty of them run without root access. I have never needed to run as root and the LE client also doesn't modify my web server configs. All the client does is update the certificate every so often and then tests the configuration before deploying it. It took me all of ~10 lines to get it to work the way I want it.
Your Apache scripts shouldn't be so complex that they become un-editable, do you even know what they do?
Re: (Score:2)
Re: (Score:2)
like because like fema camps like have like nothing to do with like guillotines like.
The government routinely orders guillotines (paper cutters). If you print out your certificate, you can cut it up with an office guillotine.
Re: (Score:2)
It's the browsers that got us in the mess we're in. Browsers do the wrong thing with TLS in almost every situation.
We have really good crypto algorithms and protocols, and the implementations we have are confusing, misleading, and negate a lot of that functionality.
Pretty sure what you're describing has nothing to do with browsers. TLS is governed by the server, not the browser. Server dictates what crypto methods and hashing methods are permitted to be used. Browser has to comply with the server or get lost.
Re: (Score:2)
Us lowly commoners have to pay someone to sign our certs.
I don't pay for my cert. Let's Encrypt is free.
What's the motive for wosign? (Score:3)
It's tied to the version? (Score:2)
Anyone else find it odd that the whitelist depends on the version? Like they hardcoded it?