Google从Chrome 61起将不再信任WoSign和StartCom证书

2017年7月21日20:40:36 评论 258

去年,中国 CA WoSign 被发现有严重问题,其中最严重的是故意倒填证书日期绕过浏览器对 SHA-1 证书的限制。主要浏览器开发商要求所有 CA 在 2016 年 1 月 1 日之后停止签发 SHA-1 证书,然而沃通 CA 在 2016 年 1 月 1 日之后仍然签发了 SHA-1 证书,通过故意倒填日期,将这些证书伪装成是在 2016 年前签发的。

Https页面在Google搜索结果中将优先展示

Mozilla 和 Google 先后宣布将停止对 WoSign 及其收购的 StartCom 新证书的信任。Google 是从 Chrome 56 开始停止信任 WoSign 和 StartCom 签发的新证书,但仍然信任 2016 年 10 月 21 日前签发的证书。

近日,Google在其安全博客宣布,从 Chrome 61 版本起,Google Chrome将完全取消对 WoSign 和 StartCom 证书的信任。预计今年9月中旬将会发布Chrome 61稳定版。在使用WoSign 和 StartCom 证书的网站需尽快完成新证书的申请及更换,避免9月中旬后造成不好的用户体验。

Final removal of trust in WoSign and StartCom Certificates

As previously announced, Chrome has been in the process of removing trust from certificates issued by the CA WoSign and its subsidiary StartCom, as a result of several incidents not in keeping with the high standards expected of CAs.

We started the phase out in Chrome 56 by only trusting certificates issued prior to October 21st 2016, and subsequently restricted trust to a set of whitelisted hostnames based on the Alexa Top 1M. We have been reducing the size of the whitelist over the course of several Chrome releases.

Beginning with Chrome 61, the whitelist will be removed, resulting in full distrust of the existing WoSign and StartCom root certificates and all certificates they have issued.

Based on the Chromium Development Calendar, this change is visible in the Chrome Dev channel now, the Chrome Beta channel around late July 2017, and will be released to Stable around mid September 2017.

Sites still using StartCom or WoSign-issued certificates should consider replacing these certificates as a matter of urgency to minimize disruption for Chrome users.

avatar
Google发布2019年搜索排行榜 业界动态

Google发布2019年搜索排行榜

今日,Google公布 2019 年度搜索热词榜单,与 2018 年相比, 2019 年搜索关键词的流量持续增长。榜单显示,在美国,迪士尼新推出的流媒体服务“迪士尼+(Disney Plus)”成为 ...
匿名

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: