Google latest to shut out Chinese certificate authority for ‘deception’

Following in Apple and Mozilla's footsteps, Google's Chrome web browser will no longer trust the Chinese company WoSign after its actions and "deception" allegedly "put the security and privacy of every web user at risk."
chrome extension
(Stephen Shankland / Flickr)

Following in Apple and Mozilla‘s footsteps, Google’s Chrome web browser will no longer trust the Chinese company WoSign after its actions and “deception” allegedly “put the security and privacy of every web user at risk.”

WoSign is a certificate authority, meaning it distributes digital certificates that authenticate secure connections to websites. In the transport layer security (TLS) system that underpins security on the web, a trusted third party authority like WoSign is meant to offer proof that your browser is visiting the website you mean it to. When you aim for your bank’s website, this is how the bank can authenticate its website and protect its communication with you.

A lengthy investigation by both Google and Mozilla was triggered when WoSign issued a TLS certificate for to a university employee with no connection to the site. The subsequent inquiry accuses WoSign of fraudulently using outdated and insecure certificates as well as buying another certificate authority, the Israel-based firm StartCom, and failing to disclose the purchase.

“It was rather surreal when I realized I had actual valid SSL/TLS certificates for the primary GitHub domains,” Stephen Schrauger wrote in an August blogpost that began the firestorm. “Https is supposed to prevent eavesdropping, yet with these keys, I could become a man-in-the-middle with relative ease.”


“Google has determined that two [certificate authorities], WoSign and StartCom, have not maintained the high standards expected of CAs and will no longer be trusted by Google Chrome, in accordance with our Root Certificate Policy,” Andrew Whalley from the Chrome Security team wrote.

The WoSign saga brings back memories of the DigiNotar hack in 2010. Using counterfeit certificates made possible by a breach, attackers fooled over 300,000 people with ties to Iran browsing websites — GMail and Yahoo most dangerously — with fraudulent certificates.

Mozilla and Google now distrust WoSign and StartCom certificates issued on Oct. 21 or later. Apple is taking similar actions, blocking new intermediate certificates from WoSign and StartCom. In the future, Google will distrust all WoSign and StartCom certificates completely.

“Any attempt by WoSign or StartCom to circumvent these controls will result in immediate and complete removal of trust,” Whalley explained.

Microsoft Edge and Opera have yet to take any action against WoSign. Neither company returned a request for comment.

Patrick Howell O'Neill

Written by Patrick Howell O'Neill

Patrick Howell O’Neill is a cybersecurity reporter for CyberScoop based in San Francisco.

Latest Podcasts