StartCom cert issued prior to October 21st 2016 is not trusted
Reported by
d...@davejeffery.com,
Sep 8 2017
|
||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Steps to reproduce the problem: 1. Go to https://live.pin.gy/ 2. Chrome will present user with NET::ERR_CERT_AUTHORITY_INVALID error What is the expected behavior? As shown in the attached screenshot, the certificate was issued on 4 October 2016. According to Google's security blog all certificates issued by StartCom prior to Oct 21 2016 should be trusted: https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html The certificate validates correctly on latest versions of Firefox and Safari. What went wrong? Certificate should have been trusted according to Google's security blog but it was not. Did this work before? N/A Chrome version: 60.0.3112.113 Channel: n/a OS Version: OS X 10.12.3 Flash Version:
,
Sep 8 2017
Issue 713355 reduced the list of trusted certificates from the root, as described in the blog post: "We started the phase out in Chrome 56 by only trusting certificates issued prior to October 21st 2016, and subsequently restricted trust to a set of whitelisted hostnames based on the Alexa Top 1M. We have been reducing the size of the whitelist over the course of several Chrome releases."
,
Sep 8 2017
This domain wasn't in the Alexa Top Million, and thus stopped working even before https://codereview.chromium.org/2718243003
,
Sep 8 2017
Ok, thank you for the quick reply. |
||
►
Sign in to add a comment |
||
Comment 1 by elawrence@chromium.org
, Sep 8 2017Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug