New issue
Advanced search Search tips

Issue 700397 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Mar 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

Pre-Oct2016 StartCom certs rejected

Reported by plane...@gmail.com, Mar 10 2017 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36

Steps to reproduce the problem:
1. Open https://www.airtime.pro/ - cert is valid  
There is certificate:
Valid from November 25, 2015 to November 25, 2017
Signature Algorithm: sha256WithRSAEncryption
Issuer: StartCom Class 2 Primary Intermediate Server CA

2. Open https://demo.superdesk.org/ - NET::ERR_CERT_AUTHORITY_INVALID
There is certificate:
Valid from December 13, 2015 to December 13, 2017
Signature Algorithm: sha256WithRSAEncryption
Issuer: StartCom Class 2 Primary Intermediate Server CA

What is the expected behavior?

What went wrong?
Hi,
after chrome upgrade to 57 I found that some (not all) startcom certificates are not valid. I don't see the difference between valid and not valid certificates (see steps for reproducing) that is understandable to me. At same time I didn't have any issue with 56 version.
All certs are issued before Oct-2016 and based on sha256 hash. 

Did this work before? Yes 56

Chrome version: 57.0.2987.98  Channel: stable
OS Version: 10.0
Flash Version:

Comment 1 by elawrence@chromium.org, Mar 10 2017

Components: Internals>Network>Certificate
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Summary: Pre-Oct2016 StartCom certs rejected (was: Strange behavior with StartCom certs)
I believe this is working as intended.

https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
Certificates issued before this date may continue to be trusted, __for a time__, if they comply with the Certificate Transparency in Chrome policy __or are issued to a limited set of domains known to be customers of WoSign and StartCom.__

Due to a number of technical limitations and concerns, __Google Chrome is unable to trust all pre-existing certificates while ensuring our users are sufficiently protected from further misissuance__. As a result of these changes, customers of WoSign and StartCom may find their certificates no longer work in Chrome 56.

__In subsequent Chrome releases, these exceptions will be reduced and ultimately removed, culminating in the full distrust of these CAs. __

Comment 2 by rsleevi@chromium.org, Mar 10 2017

Status: WontFix (was: Unconfirmed)
Correct, trust in StartCom and WoSign certificates is in the process of being removed. Chrome 58 removes a substantially larger number of these, and Chrome 59 will continue this process, due to the issues noted in that post.

Comment 3 by plane...@gmail.com, Mar 10 2017 

But both valid and invalid certs are based on same issuer. There is no any difference except two weeks shift in valid from date. That's understandable.

Comment 4 by rsleevi@chromium.org, Mar 10 2017 

The difference is that they're issued for different domains.

All certificates from these issuers will eventually be distrusted. The priority of distrust is that certificates for the largest sites are being distrusted last, in order to allow sufficient time to replace or find alternative certificates.

www.airtime.pro's certificate will be distrusted in a future release.

Comment 5 by plane...@gmail.com, Mar 10 2017 

got it, thanks!

Sign in to add a comment