Google will soon cease to trust all certificates WoSign and StartCom

According to a message from Google, soon (namely, starting with the release of Chrome 61, which is expected in mid-September ), the credibility of certificates issued by the certification centers WoSign and StartCom will be completely terminated. We are talking about certificates issued before October 21, 2016, the validity of which has not expired (newer certificates were blocked last year).

In Chrome 57 (released in March 2017), the credibility of the old certificate has already been partially terminated, but an exception has been made for sites in the first million by Alexa rating. Now this whitelist will be removed and the blocking will become effective in relation to the certificates issued by the specified SFs to any domain.

It is worth recalling that similar measures are already in place on the part of Mozilla: since Firefox 51 (introduced in January 2017) a restriction has been introduced for new WoSign and StartCom certificates, but support for certificates issued until October 21, 2016 has been preserved.

The story began with the fact that last year Mozilla representatives revealed a number of serious violations in the work of WoSign and StartCom. In response, WoSign initiated an audit, work to eliminate comments and improve the security of its internal infrastructure, and also began the process of obtaining new root certificates. Of the violations can be noted:
')

• Ignoring the prescription that regulates the activities of certification authorities, prohibiting the use of the SHA-1 algorithm when creating certificates from January 1, 2016 (WoSign issued certificates with SHA-1 backdating);
• Obtaining control over another certifying center (StartCom) without disclosing information about the transaction;
• Carelessness regarding security, in particular the use of outdated versions of network applications, without proper installation of updates (the Bind package used on the DNS server was last updated in 2011 and contains 19 unpatched vulnerabilities);
• An incident was recorded that resulted in issuing a certificate to an outsider for one of the GitHub domains.

It is difficult to explain the logic that guided WoSign, producing actions that are so risky for reputations, but there is a precedent.

UPD: Goolge voiced some questions about Symantec a while ago: approximately 30,000 certificates issued by this company were apparently issued without proper validation of domain owners. It seems that in the near future, Chrome will no longer trust this list of certificates.