SSL Labs Distrusts WoSign and StartCom certificates
Last updated on: October 21, 2021
In the second half of 2016, a series of events unfolded that culminated with something many didn’t think was possible (or at least thought very unlikely): a public CA was distrusted. The CA in question was WoSign, a Chinese CA who made some waves by offering free certificates back in the day, before Let’s Encrypt came onto the scene. To make the case even more remarkable, another CA—StartCom—was distrusted at the same time. These were CAs with substantial installed user bases, largely because both had offered free certificates.
To fully understand what happened requires a lot of digging for background information. Luckily, the blog posts from Mozilla and Google not only give their reasons, but provide helpful links where you can obtain further information if you desire. Apple also joined in the ban; Microsoft did not yet make any announcements.
In short, the root cause for the bans was the fact that the browser vendors have lost trust in WoSign’s “technical and management capabilities”. In addition, WoSign has been accused of dishonesty and continued and persistent deception. To a large extent, StartCom didn’t feature in the story as a significant role, but their fate was sealed because they had been acquired by WoSign and later became part of the same management and technical hierarchy. They now seem to effectively be two brands within the same organisation.
The decisions to ban WoSign and StartCom were made largely in October 2016, but the actual trust changes started to take place in January 2017. Browser vendors generally attempted to keep all existing certificates alive, which is potentially challenges given that one of the accusations leveled at WoSign was certificate backdating. (In absence of a widespread deployment of a public log mechanism for certificates, for example Certificate Transparency, there is no way to verify a certificates’ not-before and not-after dates.) However, this is not something that can be done reliably, which is why many web sites with WoSign’s and StartCom’s certificates started to experience disruption. Furthermore, all vendors are committed to taking whatever actions in the future they feel necessary, including completely revoking trust in the doomed CAs. Mozilla said that they could do that as early as April 2017.
In the nutshell, if you have a WoSign and StartCom certificate in production today, there is no guarantee that it will work for your users. In the future, it will get only worse, and it will not get better until you replace your certificate and use another CA. To that end, SSL Labs will actively distrust WoSign and StartCom certificates in the near future. Within the next couple of days our development and production systems will start showing a warning when WoSign or StartCom certificates are encountered. From 8 May 2017 such certificates will be graded with a T (no trust). Web sites that continue to use them will receive a T grade. We hope that we can raise further awareness with this action and help site operations transition as smoothly as possible.
Browsers still trust StartCom certificates issued before the 21th of October. Shouldn’t SSL Labs use the same criteria as common web browsers?
No, browsers don’t exactly continue to trust the certificates issued before October 21st. That was the case with Chrome 56, but Chrome 57 reduced the trusted list to the domains in Alexa top 1 million: https://codereview.chromium.org/2662673002/ Then, just a day ago, the trusted list was reduced to top 100k: https://codereview.chromium.org/2828083002 So, if anything, I think we might have been late with the T grade.
Aha, thanks for the information. I don’t see what this additional blacklisting by Chrome would accomplish, but Google knows Chrome is too big to fail. By sparing the highest scoring sites on Alexa, they’ve also insured themselves against backlash from users complaining that “Chrome doesn’t work with X”.
I’ve already asked to be removed from the HSTS-Preload list, because I as a small party cannot make the guarantee that my website will be available over HTTPS anymore. If anything were to happen to Let’s Encrypt and you’re on the HSTS-Preload list, you have a big problem. There is no free alternative for it anymore.
IMO, Let’s Encrypt itself will be secure enough. But your website will be insecure if is not managed well. Such as certificates leak may happen.
iOS 11 already says that a website using this certificate is dangerous.