Saturday, 8 July 2017

Need more proof there are dodgy CAs (Certificate Authorities)? Here's an example


Google in two months will conclude its prolonged excommunication of misbehaving SSL/TLS certificate authorities WoSign and subsidiary StartCom, a punishment announced last October.

Chrome security engineer Devon O'Brien, in a Google Groups post on Thursday, said Google last year began limiting its trust of certificates backed by the companies to those issued before October 21st, 2016, and has been winnowing whitelisted hostnames over the course of several Chrome releases.

"Beginning with Chrome 61, the whitelist will be removed, resulting in full distrust of the existing WoSign and StartCom root certificates and all certificates they have issued," O'Brien said. "Based on the Chromium Development Calendar, this change should be visible in the Chrome Dev channel in the coming weeks, the Chrome Beta channel around late July 2017, and will be released to Stable around mid September 2017."

Like I said in this post - just because there is a padlock in the browser address bar doesn't necessarily mean the site is Kosher. Be warned & stay safe people!