Google从Chrome 61起将不再信任WoSign和StartCom证书

  • A+
所属分类:业界动态

去年,中国 CA WoSign 被发现有严重问题,其中最严重的是故意倒填证书日期绕过浏览器对 SHA-1 证书的限制。主要浏览器开发商要求所有 CA 在 2016 年 1 月 1 日之后停止签发 SHA-1 证书,然而沃通 CA 在 2016 年 1 月 1 日之后仍然签发了 SHA-1 证书,通过故意倒填日期,将这些证书伪装成是在 2016 年前签发的。

Https页面在Google搜索结果中将优先展示

Mozilla 和 Google 先后宣布将停止对 WoSign 及其收购的 StartCom 新证书的信任。Google 是从 Chrome 56 开始停止信任 WoSign 和 StartCom 签发的新证书,但仍然信任 2016 年 10 月 21 日前签发的证书。

近日,Google在其安全博客宣布,从 Chrome 61 版本起,Google Chrome将完全取消对 WoSign 和 StartCom 证书的信任。预计今年9月中旬将会发布Chrome 61稳定版。在使用WoSign 和 StartCom 证书的网站需尽快完成新证书的申请及更换,避免9月中旬后造成不好的用户体验。

Final removal of trust in WoSign and StartCom Certificates

As previously announced, Chrome has been in the process of removing trust from certificates issued by the CA WoSign and its subsidiary StartCom, as a result of several incidents not in keeping with the high standards expected of CAs.

We started the phase out in Chrome 56 by only trusting certificates issued prior to October 21st 2016, and subsequently restricted trust to a set of whitelisted hostnames based on the Alexa Top 1M. We have been reducing the size of the whitelist over the course of several Chrome releases.

Beginning with Chrome 61, the whitelist will be removed, resulting in full distrust of the existing WoSign and StartCom root certificates and all certificates they have issued.

Based on the Chromium Development Calendar, this change is visible in the Chrome Dev channel now, the Chrome Beta channel around late July 2017, and will be released to Stable around mid September 2017.

Sites still using StartCom or WoSign-issued certificates should consider replacing these certificates as a matter of urgency to minimize disruption for Chrome users.

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: