Our features site is undergoing a refresh! Be sure to explore the revamped site and discover our latest product roadmap launching here on Monday, March 18th.
New Topic
cPanel & WHM Feature RequestsTopicSecurity
Properties
Category Security
Tags AutoSSL, Certificate, certificate authorities

Distrust Wosign when validating with AutoSSL

Lucas Rolff shared this idea 7 years ago
Open Discussion

As a server administrator, web hosting provider, and a cPanel user, I would like AutoSSL to notice when a Certificate Authority loses trust and automatically issue new certificates to any domain that is using those authorities, so that (as is the case with Wosign right now) visitors to those websites won't be met with a warning, and I won't have to manually remove those certificates to get AutoSSL to issue new ones.

=============

As people may know, WoSign / StartCom had some issues causing browsers such as Google Chrome and Mozilla Firefox to distrust certificates after a certain date.


Due to technical issues Google Chrome security team has decided that WoSign and StartCom certificates will be distrusted moving forward - in the latest Chrome Dev build you'll get the "Your connection is not private" message with the error NET::ERR_CERT_AUTHORITY_INVALID


AutoSSL on the other hand still believes that the certificate is valid (which it is), but the CA itself are no longer trusted.

I do believe that AutoSSL should be aware of this - from consultation with cPanel it turns out that AutoSSL validates using the Mozilla trusted CA list - where Mozilla still includes the WoSign and StartCom CA's as trusted, thus making the validation pass - and no new certificate will be generated.


To ensure that customers have valid SSL certificates, these certificates should be replaced by AutoSSL - if that's having a 'blacklist' of CA's or pushing Mozilla to stop trusting WoSign and StartCom completely (at least until the company gets new Root certificates which can be added to the trust store as long as Mozilla believes it's safe to do).


Quoting from Google's Security blog:


Due to a number of technical limitations and concerns, Google Chrome is unable to trust all pre-existing certificates while ensuring our users are sufficiently protected from further misissuance. As a result of these changes, customers of WoSign and StartCom may find their certificates no longer work in Chrome 56.In subsequent Chrome releases, these exceptions will be reduced and ultimately removed, culminating in the full distrust of these CAs.

Files: slack-imgs-1-1.png
4 I like this idea 0  

Replies (1)

photo
1
cPanelKeithS 7 years ago

Additional information:

Google post - https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html

Mozilla pem list still contains StartCom and WoSign - https://mozillacaprogram.secure.force.com/CA/CACertificatesInFirefoxReport

Reply
Leave a Comment
 
Attach a file

cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.