Warn if server use blocked Startssl/WoSign cert #457
Comments
|
May be able to cheat from Chrome's recent work: https://bugs.chromium.org/p/chromium/issues/detail?id=685826 |
|
This would have saved me hours of frustration trying to figure out what is wrong. See Installing StartSSL certificate under Apache gives SEC_ERROR_REVOKED_CERTIFICATE in Firefox and ERR_CERT_AUTHORITY_INVALID in Chrome For certificates that are signed after October 21, 2016, the rating should be downgraded to F because most major browsers no longer trust the certs. For certificates before October 21, it should be a big warning that Firefox may stop trusting the cert after March 2017. See Distrusting New WoSign and StartCom Certificates | Mozilla Security Blog |
|
Notably, Chrome already distrusts some StartCom certs issued before 10/16/2016, and will eventually distrust them all. |
|
With the release of Chrome 57 which seems to block all sites that use any certificate from StartSSL this becomes even more important. |
|
Indeed. Note that there are still exceptions - the Chrome blocking of StartCom currently omits domains appearing in the Alexa top 500K. https://bugs.chromium.org/p/chromium/issues/detail?id=685826 |
|
https://blog.qualys.com/ssllabs/2017/04/05/ssl-labs-distrusts-wosign-and-startcom-certificates Test deployed on dev.ssllabs.com |
|
Could the work that was done for this be generalized into accomplishing #477? |
Add a Warning if server use blocked (by common browsers like Chrome or FF) Startssl/WoSign cert, please
https://community.qualys.com/thread/16987-a-site-fails-with-secerrorrevokedcertificate-on-firefox-51-but-has-grade-b-on-ssl-test
The text was updated successfully, but these errors were encountered: