back to article Google Chrome's HTTPS ban-hammer drops on WoSign, StartCom in two months

Google in two months will conclude its prolonged excommunication of misbehaving SSL/TLS certificate authorities WoSign and subsidiary StartCom, a punishment announced last October. Chrome security engineer Devon O'Brien, in a Google Groups post on Thursday, said Google last year began limiting its trust of certificates backed …

  1. Rich 11 Silver badge

    Won't be missed.

    1. Danny 14

      I thought they'd already have gone though. Havent SHA1 root certs been throwing up errors in chrome anyway? I went to a business that had an SHA1 enterprise CA cert on their guest wifi and chrome wouldny play ball with that at all.

  2. Michael Hoffmann Silver badge
    Unhappy

    Alas, StartCom

    In the days before Let's Encrypt StartCom was a good way to get a basic and free SSL cert.

    Now, they're part of my "remove trust" process in my browsers.

    Sic transit gloria mundi.

    1. Jamie Jones Silver badge

      Re: Alas, StartCom

      My sentiments exactly. I used to love startcom, but I've been removing wosign and starcom certificates manually since this story originally broke out.

      One thing - I'm sure I'm not the only one to ignore "this site is untrusted" messages on sites I don't deem important. They need another message for cases like this.

      It's the difference between "untrusted" and "distrusted" - the former meaning no trust exists, the latter means trust explicitly revoked.

      That's too subtle for a warning message, but something like "This is an evil fraudulent site and if you continue to view it, you'll probably crash the internet" ... or something!

  3. Notas Badoff

    Wo is me

    Chinese pinyin for 'I' is 'wǒ'. Anybody remember if in the "product trademarking wars" Chinese companies simply tried working around the trademarks by using 'wophone', 'wopad', etc.? wophone.com seems null-terminated. (Mebbe Apple bought it?) wopad.com is for sale. wophone.net is too. Guess discerning customers wanted the "real thing" or not at all.

  4. james.aka.damingo
    Black Helicopters

    EU Anyone

    How long until some crank at the EU decides that Google is abusing it's position in the browser market by causing companies which behave unethically to be shut down (as its not likely startcom will survive this).

    Obviously Google and the others are doing the correct thing here; but some EU idiot will decide to get a promotion by fining them billions again.

    An no I didn't vote for brexit.

    1. Phil W

      Re: EU Anyone

      Bloody ages if the affected entities are not complying with obvious independently created security standards not just upsetting Google. Not to mention the the companies in question are not even remotely in the EU

      1. james.aka.damingo

        Re: EU Anyone

        There will be certificate holders in the EU who have used those companies. And going by some of the rulings the EU's "experts of the interwebs" have made in the past; any lost traffic will be Google's fault "due to their abuse of a dominant position in blah blah blah".

        Although I suppose any lost traffic to a site using one of those certs (a legit cert) would be the fault of Google (they blocked it); obviously the CA is to blame really for being an arse.

      2. Ben Tasker

        Re: EU Anyone

        Bloody ages if the affected entities are not complying with obvious independently created security standards not just upsetting Google.

        I agree, they're probably OK as it's not Google (alone) who've set the standard.

        It does raise an interesting question though (albeit largely hypothetical). Google is currently at odds with the rest of the CAB Forum on the subject of certificate validity periods. They've just been reduced to around 2 years max, but Google wanted 13 months in their ballot (which got voted down).

        It wasn't so much the period, as how quickly Google wanted to switch that the other members objected to AIUI.

        So, if Google were to go it a alone, and simply distrust anything older than 13 months in Chrome, at what point would that be considered an abuse of domination, if at all?

        They haven't actually shown any sign of intending to do that, and it'd be a bloody stupid thing for them to do (though if they did, it'd more or less force the industry to comply), but I thought it was an interesting thought exercise.

        1. Danny 14

          Re: EU Anyone

          This will be an arse with domain CA certs though. Quite a few donain filters will have long certs. Businesses will just ditch chrome.

  5. Bronek Kozicki

    A further attempt to reach an authorized StartCom spokesperson brought no response.

    Not surprised, the way this is going they probably do not have a spokerperson anymore. It makes no sense for them to employ anyone except for a janitor. To shut down the lights.

    1. Alan W. Rateliff, II
      Meh

      Re: A further attempt to reach an authorized StartCom spokesperson brought no response.

      I got a response from support several weeks ago about this issue and how my secure sites to which I direct some of my customers were starting so show as insecure in Chrome. I was hoping this mess would be sorted by now, but apparently what I have to do is purchase a certificate which will have all of my certificates combined and signed by what is and will continue to be a trusted root, then they will re-issue all of my affected certificates once the root distrust issue is resolved.

      Well, damn.

  6. Anonymous Coward
    Anonymous Coward

    Bye bye Startcom

    You saved my ass many times but ultimately you fucked yourself.

  7. Pascal Monett Silver badge

    "tends to limit traffic and ad revenue"

    Initially I thought that maybe those words would only apply to non-Chinese country activities, but then I checked out this page and found that Google is 3/5ths the Chinese market in browser share.

    There is a "local" browser version, Sogou explorer, which, of course, snoops on its users, but I would have thought Chinese users would have much more use for China-made browsers.

    Instead, Google has that market pretty much sewn up as well. Sheesh.

  8. bombastic bob Silver badge
    Devil

    what's Firefox gonna do? (or even Micro-shaft)

    So, what's Firefox/Mozilla gonna do now? Or even Micro-shaft? Also haven't heard anything regarding Opera or Safari. It's not like Google runs THOSE projects, but will they follow Google's example?

    And I expect you could _STILL_ re-add the root certs for those CAs yourself, if you want them... (the same kind of process by which you'd add a self-signing CA or a "network appliance" CA)

    1. Anonymous Coward
      FAIL

      Re: what's Firefox gonna do? (or even Micro-shaft)

      Sheez, I don't know. If only there was clue in the article.

      "Consequently, Apple, Mozilla, and Google announced plans to gradually stop trusting WoSign and StartCom certificates, in order to minimize disruptions to those with websites utilizing the condemned certs."

      Seriously, can we have a RTFA icon?

  9. GrapeBunch
    Stop

    Whoa sign

    Fellow regtards frequently ask for new icons. But The Reg in anticipation FTFY.

    Thanks, Xièxiè, 谢谢 .

  10. Bob Hoskins
    Big Brother

    Does anyone still use Google?

    I thought everyone had switched over to Bing?

    1. Anonymous Coward Silver badge
      Childcatcher

      Re: Does anyone still use Google?

      I'm not sure about that... let me Ask Jeeves

      1. TonyJ

        Re: Does anyone still use Google?

        "...I'm not sure about that... let me Ask Jeeves..."

        Pah! I will see your Jeeves and raise you one dogpile!

        1. Anonymous Coward
          Anonymous Coward

          Tonight I'm Gonna Party Like It's 1994

          Ask Jeeves? Dogpile? Stuff your newfangled search engines. I'm still using some guy's carefully-maintained list of useful and interesting pages on the world wide web.

          You laugh, but 90s nostalgia is the new hot thing, and Google will soon feel the heat from upcoming Gen Z-ers rejecting them and going back to the old ways. You mark my words!!

          Joking aside, I'm sure there are some would-be hipster ****s- the same ones using typewriters and shitty old bikes- doing this because they think it's cool^w^w^w^w insert rationalisation about how doing it this way helps you focus on important sites and think about what you're doing.

          It also shows how small and manageable the web was in the early days that these sort of lists were not only A Thing, but taken seriouisly. You'd go back to the whole thing now and realise how primitive and limited it was, but it was pretty amazing at the time!

  11. Yukkuri

    But they're still up?

    Yet both WoSign and StartCom still seem to be selling certs, if their sites are any indication. I am confused. Do they expect to somehow still turn this around? Are they just going to grab as much money as they still can before collapsing even if they know their certs are soon to be useless in Chrome (and already are in other browsers if I read stories about this right?)

    I guess even in a "communist" country capitalism has the same perverse logic.

    1. Anonymous Coward
      Anonymous Coward

      Re: But they're still up?

      China is "communist" in name only and has been for a long time.

  12. mcdardy

    Why DigiCert?

    I've just noticed via the WoSign website that DigiCert's High Assurance Root has been used to sign an intermediate certificate for WoSign. I'm appalled DigiCert would negotiate with this company. Both WoSign and its newly-acquired StartCom (whom I routinely advised clients to have no dealings with) have proven time and time again that they are not worthy of trust.

    Very disappointed as DigiCert is my preferred CA. Hopefully they'll be policing them heavily.

  13. Joe Harrison

    So where to next?

    Wosign was the only place I could find for a free email (S/MIME) certificate. Don't want to get involved in whether or not they should be black-holed but it does leave me without a paddle when my cert expires.

    1. Steve Foster

      Re: So where to next?

      Comodo (both directly and under their instantSSL brand) also offer free email certificates.

      [this post should not be considered an endorsement for Comodo]

  14. Anonymous Coward
    Anonymous Coward

    Anticompetitive?

    On most platforms, Chrome uses the operating system's certificate stores. If I tell my computer that I want to trust StartCom, why would Google countermand that and make browsing sites that use their certificates so highly inconvenient? Earlier this year, Google got into the CA business and StartCom and WoSign are now their competition. These companies are small compared to Symantec's CA which, through acquisition (VeriSign, Thawte, etc.), has issued certificates to almost 30% of the Web, and Google has already announced plans to deprecate trust in them, too. The antitrust sueballs are ready to be loaded into the trebuchet.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like