Distrusting certificates – Time to act if you use a StartCom (StartSSL) or WoSign certificate

by Michael Scharnagl

This article has been updated the last time on December 20, 2016 and the given information may be not accurate anymore. Feel free to contact me on twitter to get more details.

Info: If you are using a certificate from StartCom (for example the free StartSSL certificate) or WoSign you should start switching to another certificate (from Let’s Encrypt or any other trusted one). Otherwise, your site will be marked as insecure and might not be accessible to users in the next stable Version of Chrome (56) and Firefox (51) which will both be released at the beginning of 2017.

This month my SSL certificate from StartSSL for justmarkup.com had to be renewed. This task is normally done pretty quick and I didn’t expect any problem. Some days later I updated my Chrome to Version 56 and suddenly my site was marked as insecure and I had to explicitly allow it to access it.

Chrome 56 showing justmarkup.com as insecure because of a StartSSL certificate. Screenshot by  Anselm Hannemann
Chrome 56 showing justmarkup.com as insecure because of a StartSSL certificate. Screenshot by Anselm Hannemann

I tried to access it in other browsers, but they all showed the site as secure and after some debugging and trying to find the problem I came across an article by the Google security team. As you can read there, as of Chrome 56 (and also Firefox 51 as I later found out) certificates from StartCom (including their free StartSSL certificates) and WoSign will no longer be accepted and sites using them will be marked as insecure.

Before Let’s encrypt came out a lot of people got their certificate from StartCom as they were one of the only ones available for free. I expect a lot of people still use them and I hope they find out about the problem soon enough so their sites will still be available after the next stable releases.

Thanks to Anselm Hannemann for reminding me about the issue yesterday, so I finally took the time to switch servers and to Let’s Encrypt.

Michael Scharnagl

Portrait Michael Scharnagl

Follow me: @justmarkup

Subscribe to RSS: /feed

A freelance front-end developer focusing on HTML5, CSS, progressive enhancement and web performance.