Google Logo

Google has banned WoSign, a Chinese company that provides SSL/TLS certificates to support HTTPS traffic, after both Apple and Mozilla took similar steps in the past month.

The ban comes after Mozilla security researchers have brought to light a series of security incidents involving WoSign in mid-September.

The 13-page Mozilla report detailed a list of issues, most of which accused WoSign of issuing SSL certificates signed with the SHA-1 encryption algorithm, for which browser vendors have issued a non-issuance ban after January 1, 2017.

WoSign was issuing weak SSL certificates, despite browser vendor ban

Mozilla discovered that WoSign was issuing certificates signed with SHA-1 as late as June 2016, and backdating the SSL certs to December 2015.

Both Mozilla and the other browser vendors have set up a procedure through which HTTPS certificate providers could request permission to issue SSL certificates signed with SHA-1 under certain conditions. WoSign didn't request for permission through this mechanism, and had tried to hide this practice.

Mozilla also discovered that WoSign SSL certificate issuance process also allowed third-parties to request certificates for sites they didn't own. For example, Mozilla explains how an IT administrator for the University of Central Florida mistakenly requested certificates for two domains he didn't own, including GitHub.

Furthermore, Mozilla discovered that WoSign had secretly bought StartCom, an Israeli-based certificate authority (CA), which it moved to its infrastructure, and also used to issue backdated SSL certificates.

When Mozilla confronted WoSign about the StartCom purchase, which took place in the autumn of 2015, WoSign denied the acquisition, and only days before Mozilla's report in September 2016, published a blog post announcing StartCom's new ownership.

WoSign sacks CEO in desperate attempt to avoid a full ban

Following the scorching report, Apple engineers made up their minds right away, and by mid-October, they had issued security updates for several Apple products that removed trust in both WoSign and StartCom certificates.

Seeing that browser vendors aren't fooling around, Qihoo 360, the WoSign majority stakeholder, set up a meeting with Mozilla's top brass in London, together with StartCom top execs.

In a desperate Hail Mary pass, Qihoo put the blame on WoSign's CEO and replaced the leadership of both companies. The company also published a report explaining all the issues, from their point of view.

Despite their best efforts, Mozilla didn't buy any of their explanations. Two weeks after WoSign's report, Mozilla decided to ban all WoSign and StartCom SSL certificates issued after October 21, 2016.

Certificates issued before this date will continue to work in Firefox without showing errors, and the actual ban is expected to come into play with Firefox 51, set for release in January 2017.

Google mulled its decision

But the worst was still to come. By that point, neither Google or Microsoft have said a word on the WoSign incidents.

When Mozilla banned WoSign certificates, its security engineers cited "the levels of deception demonstrated by representatives of the combined company."

In a blog post published this week, Google's top brass cited the same shady behavior.

"Google has determined that two CAs, WoSign and StartCom, have not maintained the high standards expected of CAs and will no longer be trusted by Google Chrome," said Andrew Whalley of Google Chrome Security.

"The investigation concluded that WoSign knowingly and intentionally misissued certificates in order to circumvent browser restrictions and CA requirements," Whalley continues. "Further, it determined that StartCom, another CA, had been purchased by WoSign, and had replaced infrastructure, staff, policies, and issuance systems with WoSign's. When presented with this evidence, WoSign and StartCom management actively attempted to mislead the browser community about the acquisition and the relationship of these two companies. For both CAs, we have concluded there is a pattern of issues and incidents that indicate an approach to security that is not in concordance with the responsibilities of a publicly trusted CA."

The Google statement goes on to announce a similar ban for all newly issued WoSign and StartCom certificates after the same date of October 21. Google's ban will become active with the release of Chrome 56, expected in early January 2017.

Old WoSign and StartCom certificates will continue to work, as a sign of respect to the companies that have already invested material resources in protecting their users and operations.

Companies in danger of losing all their clients

Nevertheless, with a ban from three out of four of today's major browser vendors, including Google, whose Chrome browser has a market share of above 50%, WoSign and StartCom's businesses are expected to die out.

Even a Google ban would have been enough to kill any of the two certificate authorities. When in 2011, Dutch certificate authority DigiNotar issued several counterfeit SSL certificates for many top-level domains, including Google.com, Google's ban for DigiNotar certificates was more than enough to strangle the life out of the company's business, who saw many of their clients move their operations to other CAs.

After the three negative decisions coming from Apple, Google, and Mozilla, it would not be surprising if Microsoft follows in their steps, and issues a similar ban.

The reason why most browser vendors are moving away from SSL certificates signed with the SHA-1 algorithm is because of a 2015 research called The Shappening that showed it is now possible to break SHA-1 encryption using modern GPU cards and cloud computing services. Researchers previously thought this would be possible around 2020.

Related Articles:

Google rolls back reCaptcha update to fix Firefox issues

Google Chrome to let Isolated Web App access sensitive USB devices

Polyfill.io JavaScript supply chain attack impacts over 100K sites

Chrome for Android tests feature that securely verifies your ID with sites

Mozilla Firefox can now secure access to passwords with device credentials