WoSign / StartCom SSL certs soon to be worthless in Google Chrome

Posted on 08 July 2017
1 minute read

As has been announced for a while, Google, Mozilla and Apple have been slowly dropping the trust level on certificates provided by WoSign / StartCom. This was primarily due to WoSign backdating certificates allowing people to continue to use SHA-1, a known insecure hashing algorithm.

Things are about to get real, with all certificates and any whitelisting that had been put in place by Google in their Chrome browser will become fully distrusted, according to Devon O'Brien, Chrome's security engineer.

"Beginning with Chrome 61, the whitelist will be removed, resulting in full distrust of the existing WoSign and StartCom root certificates and all certificates they have issued," O'Brien said. "Based on the Chromium Development Calendar, this change should be visible in the Chrome Dev channel in the coming weeks, the Chrome Beta channel around late July 2017, and will be released to Stable around mid September 2017."

O'Brien advised sites still using certificates issued by WoSign / StartCom to "consider replacing these certificates as a matter of urgency to minimize disruption for Chrome users."

My Personal usage

After personally using StartCom for years, including for this blog, I switched over majoritivly to Let's Encrypt with a few certificates issued by NameCheap, the latter due to some more complex server accessibility issues and haven't looked back since.