GOOGLE'S UPCOMING Chrome 61 browser will 'untrust' two Chinese digital certificate authorities as punishment for failing to maintain the 'expected standards'.
The punishment comes after evidence that WoSign "knowingly and intentionally mis-issued certificates in order to circumvent browser restrictions and certificate authority requirements", according to Google Chrome security manager Andrew Whalley.
These include issuing a certificate for one of GitHub's domains, which was issued without GitHub's authorisation. A subsequent investigation by Google, the Mozilla Foundation and Apple uncovered a number of cases of certificate mis-issuance during 2015 and 2016.
Furthermore, claims Google, both WoSign and its subsidiary StartCom failed to cooperate fully with the inquiry.
"The investigation concluded that WoSign knowingly and intentionally mis-issued certificates in order to circumvent browser restrictions and certificate authority requirements. Further, it determined that StartCom, another certificate authority, had been purchased by WoSign, and had replaced infrastructure, staff, policies, and issuance systems with WoSign's.
"When presented with this evidence, WoSign and StartCom management actively attempted to mislead the browser community about the acquisition and the relationship of these two companies. For both certificate authorities, we have concluded there is a pattern of issues and incidents that indicate an approach to security that is not in concordance with the responsibilities of a publicly trusted certificate authority," wrote Whalley.
In response, Google made the decision to progressively withdraw 'trust' from WoSign and StartCom-sourced certificates, starting in Chrome 56, in a process that will be completed when Chrome 61 comes out next month.
The phasing out of trust for WoSign and StartCom certificates has been conducted over a course of several months in order to give customers of the companies plenty of time to migrate to more trusted certificate authorities.
The 'untrusting' of WoSign and StartCom comes as browser makers try to improve browser security by, for example, deprecating support for certificates based on insecure SHA-1 cryptography, and highlighting websites that lack support for encrypted connections.
The investigation into WoSign also found that it had been backdating SSL certificates to get round a 1 January 2016 deadline to stop issuing SHA-1 certificates.
From September, visitors to websites using either WoSign of StartCom certificates will see security warnings, which will almost certainly affect their traffic.
Certificates supposedly guaranteeing the security of web connections, and the certificate authorities that issue them, have come in for increasing levels of security in recent years.
It's a bit bobbins, but it's a good start
Removed job listings suggests Cupertino is after chip talent
But some say the overall effect on privacy is unacceptable
Multi-core performance is just 500 points higher than the Snapdragon 845