Google is to withdraw trust in two Chinese digital certificate authorities in the forthcoming Chrome 61 web browser, due out in a month, as punishment for failing to maintain the standards expected of certificate authorities.
The punishment comes after evidence that WoSign "knowingly and intentionally mis-issued certificates in order to circumvent browser restrictions and certificate authority requirements", according to Google Chrome security manager Andrew Whalley.
These include issuing a certificate for one of GitHub's domains, which was issued without GitHub's authorisation. A subsequent investigation by Google, the Mozilla Foundation and Apple uncovered a number of cases of certificate mis-issuance during 2015 and 2016.
Furthermore, claims Google, both WoSign and its subsidiary StartCom failed to cooperate fully with the inquiry.
"The investigation concluded that WoSign knowingly and intentionally mis-issued certificates in order to circumvent browser restrictions and certificate authority requirements. Further, it determined that StartCom, another certificate authority, had been purchased by WoSign, and had replaced infrastructure, staff, policies, and issuance systems with WoSign's.
"When presented with this evidence, WoSign and StartCom management actively attempted to mislead the browser community about the acquisition and the relationship of these two companies. For both certificate authorities, we have concluded there is a pattern of issues and incidents that indicate an approach to security that is not in concordance with the responsibilities of a publicly trusted certificate authority," wrote Whalley.
In response, Google made the decision to progressively withdraw 'trust' from WoSign and StartCom-sourced certificates, starting in Chrome 56, in a process that will be completed when Chrome 61 comes out next month.
The phasing out of trust for WoSign and StartCom certificates has been conducted over a course of several months in order to give customers of the companies plenty of time to migrate to more trusted certificate authorities.
The 'untrusting' of WoSign and StartCom comes as browser makers try to improve browser security by, for example, deprecating support for certificates based on insecure SHA-1 cryptography, and highlighting websites that lack support for encrypted connections.
Indeed, the investigation into WoSign also found that it had been backdating SSL certificates to get round a 1 January 2016 deadline to stop issuing SHA-1 certificates.
From September, visitors to websites using either WoSign of StartCom certificates will see security warnings, which will almost certainly affect their traffic.
Certificates supposedly guaranteeing the security of web connections, and the certificate authorities that issue them, have come in for increasing levels of security in recent years.
In 2014, Microsoft warned that bogus Google and Yahoo certificates had been issued by a rogue certificate authority, while earlier this year Let's Encrypt was accused of issuing as many as 14,000 bogus certificates to Paypal phishing site operators.
Wikileaks Vault 7 suspect Joshua Schulte fingered by FBI after re-using smartphone passwords on his PCs
Joshua Schulte indicted on 13 counts relating to Vault 7 leaks and trading in images of child abuse
Alexa for Hospitality will link with existing systems so guests can order room service and control the air con
Massive volcanic eruptions could have warmed Mars' surface sufficiently for oceans to form
Examination of fruit flies' brains generated more than one billion data points for scientists to analyse