Hacker News new | past | comments | ask | show | jobs | submit login

Wosign is not in the list of default CAs on the Mac, according to Keychain, so if you are using Chrome on a Mac, since Chrome only uses the system's root certs, you should be safe as long as you don't go add that root cert into Keychain. Wosign is in Firefox however, so Mozilla needs to do something about this.



They're cross-signed by StartCom, which is trusted by MacOS.


True, is there anything a SSL cert manager can do short of a blanket ban of StartCom certs?


You can add code to fail validation if this specific intermediate certificate is in the trust chain, but there's no way to ban intermediate certificates with the X.509 trust model without removing the root from the CA store.

Firefox/Chrome already do some extra validation to ban SHA1 certs issued past a specific date, they'd just need to blacklist the fingerprint of the intermediate CA.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: