Google has announced that Chrome 61 will fully distrust certificates issued by WoSign and StartCom (also known as Start SSL). Chrome 61 should reach the dev channel in a few weeks and the beta channel by the end of the month.
WoSign and StartCom are basically the same company, as StartCom are a WoSign subsidiary. Both companies have been accused of multiple violations. The companies were back-dating certificates to overcome the SHA1 restrictions. SHA1 certificates issued after a specific date weren’t trusted anymore, so both WoSign And StartCom started back-dating newly issued certificates to make browsers trust them.
We started the phase out in Chrome 56 by only trusting certificates issued prior to October 21st 2016, and subsequently restricted trust to a set of whitelisted hostnames based on the Alexa Top 1M. We have been reducing the size of the whitelist over the course of several Chrome releases. Beginning with Chrome 61, the whitelist will be removed, resulting in full distrust of the existing WoSign and StartCom root certificates and all certificates they have issued.
Devon O’Brien, Chrome security team
All leading browser manufacturers started investigating the two companies and we’re expecting all major browsers to stop trusting certificates issued by them. Mozilla has already announced it will no longer trust newly issued certificates, though we don’t know what action they will take for older ones.
Apple has already blocked WoSign certificates in Safari, after the company failed multiple controls back in October.
If you’re using certificates issued by any of the two companies, you should think about getting new ones pretty soon. If you want a free one, you can always use Let’s Encrypt, which is backed by a lot of big companies and non-profit organizations.