Just a heads up that Chrome 57 was released into Beta today and will no longer trust any StartSSL/Wosign issued certificates
unless the site is in the Alexa Top 1M sites list.
Previous communication from Google (
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html) had read as though it would only be certificates issued since October 21, 2016 wouldn't be trusted. It then went onto say that it may not trust other certificates but didn't really say what that meant.
The following commit in Chrome 57 now seems to give that detail:
commit e719fc626a3b9a528bf226b704785bcb24d07868
author Ryan Sleevi <
rsleevi@chromium.org> Fri Jan 27 21:14:49 2017
committer Ryan Sleevi <
rsleevi@chromium.org> Fri Jan 27 21:14:49 2017
Restrict the set of WoSign/StartCom certs to the Alexa Top 1M
Restrict the set of domains for which WoSign/StartCom certificates
are trusted to the set of domains intersecting the Alexa Top 1M
whose certificates are unexpired and unrevoked.
BUG=685826
I found one of my sites (that still had a valid cert issued in April 2015) suddenly showed as untrusted following an auto update of Chrome Beta this morning. Its now running with a LE cert and I think I have now purged StartSSL certs from my systems.
