Google punts WoSign, StartCom from good guy certificate club

Google is set to jettison certificate authorities WoSign and StartCom next year in a move that shores up wider efforts to neuter the two companies.

Mountain View's move follows public announcements by Mozilla and Apple that they would not trust the authorities' certificates after the pair the pair incorrectly issued base certificates and fudged date stamps in others to avoid SHA-1 security reforms.

WoSign handed a base certificate for GitHub to Univeristy of Central Florida sysadmin Stephen Schrauger in August.

Both it and StartCom were then found to have backdated 62 certificates to avoid pending bans of SHA-1 certificates slated to come into effect on all major browsers.

Mozilla also flagged concerns with WoSign's quiet acquisition of Startcom which it claimed the company tried to hide.

Google Chrome security engineer Andrew Whalley says of its ban decision that certificate authorities play a "key role" in web security and can cause harm if standards are abused.

"Google has determined that two certificate authorities, WoSign and StartCom, have not maintained the high standards expected of certificate authorities and will no longer be trusted by Google Chrome, in accordance with our Root Certificate Policy," Whalley says.

"Certificate authorities who issue certificates outside the policies required by browsers and industry bodies can put the security and privacy of every web user at risk."

The changes will come into effect with the release of Chrome 56 in January 2017. All WoSign and StartCom certificates issued after October 21 this year will be untrusted.

Those issued before that date will need to comply with Google's Certificate Transparency initiative that will help to demonstrate the trustworthiness of certificates and flush out malware and phishing sites.

That initiative becomes mandatory for web admins in October next year. Those who do not comply will have their sites flagged as untrusted within Chrome. ®