When I restarted my blogging, I chose liberty.me as my blog host because it gave me a pretty good wordpress install with decent themes, https, spam blockers etc. as well as being a good match on ideological grounds. It was also priced correctly at the low low price of $FREE. Unfortunately, to some extent you get what you don’t pay for and I have discovered that unless liberty.me gets a clue by four pronto my blog will soon be inaccessible to me and to many of my readers. The problem is that the certificate for this site (ombreolivier.liberty.me) is one that uses StartCom as its root and Google Chrome will no longer be allowing access to any StartCom signed site (Mozilla’s Firefox is also taking action though the timetable is slightly different, and Apple simply blocked all newly issued certificates). Since I’d quite like my reader(s) to continue to be able to read the site, and since liberty.me have paid no attention to my attempts to warn them, it looks like my only choice is to up sticks and move on.

The text a user of Chrome v60 and higher gets when trying to access this site

For more gory details read on

StartCom distrust details

Almost a year ago Google and Mozilla discovered various irregularities with a Chinese certificate authority called WoSign. During their investigation they discovered that WoSign had bought StartCom and not told anyone of this fact, something which is completely against the trust and transparency requirements for Certificate Authorities.

On August 17, 2016, Google was notified by GitHub’s security team that WoSign had issued a certificate for one of GitHub’s domains without their authorization. This prompted an investigation, conducted in public as a collaboration with Mozilla and the security community, which found a number of other cases of WoSign misissuance.
The investigation concluded that WoSign knowingly and intentionally misissued certificates in order to circumvent browser restrictions and CA requirements. Further, it determined that StartCom, another CA, had been purchased by WoSign, and had replaced infrastructure, staff, policies, and issuance systems with WoSign’s. When presented with this evidence, WoSign and StartCom management actively attempted to mislead the browser community about the acquisition and the relationship of these two companies. For both CAs, we have concluded there is a pattern of issues and incidents that indicate an approach to security that is not in concordance with the responsibilities of a publicly trusted CA.

As a result they (and Apple) decided to no longer trust the StartCom Certificate Authority. In order to minimize disruption Mozilla and Google have gradually reduced the numebr of certificates issued by StartCom that they trust. In the case of Google’s Chrome browser (and related browsers) the timetable was as follows:

From https://bugs.chromium.org/p/chromium/issues/detail?id=685826#c15 the current Chrome distrust schedule is:
Chrome 56 is date [certificates issued by WoSign and StartCom after October 21, 2016 00:00:00 UTC] Chrome 57 is limited to the global top million domains that had such certificates
Chrome 58 is limited to the global top 500,000 domains that had such certificates
I don’t have any further details since then.

For mozilla the actions are as follows

Specifically, Mozilla is taking the following actions:

Distrust certificates with a notBefore date after October 21, 2016 which chain up to the following affected roots. If additional back-dating is discovered (by any means) to circumvent this control, then Mozilla will immediately and permanently revoke trust in the affected roots.
This change will go into the Firefox 51 release train.
The code will use the following Subject Distinguished Names to identify the root certificates, so that the control will also apply to cross-certificates of these roots.
CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN
CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN
CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, C=CN
CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN
CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL
Add the previously identified backdated SHA-1 certificates chaining up to these affected roots to OneCRL.
No longer accept audits carried out by Ernst & Young Hong Kong.
Remove these affected root certificates from Mozilla’s root store at some point in the future. If the CA’s new root certificates are accepted for inclusion, then Mozilla may coordinate the removal date with the CA’s plans to migrate their customers to the new root certificates. Otherwise, Mozilla may choose to remove them at any point after March 2017.
Mozilla reserves the right to take further or alternative action.

If you receive a certificate from one of these two CAs after October 21, 2016, your certificate will not validate in Mozilla products such as Firefox 51 and later, until these CAs provide new root certificates with different Subject Distinguished Names, and you manually import the root certificate that your certificate chains up to. Consumers of your website will also have to manually import the new root certificate until it is included by default in Mozilla’s root store.

It it my belief, having read these statements that in the near future a StartCom signed certificate will no longer be trusted by Firefox, Chrome or Chroem derived browsers (Chromium, Brave ..)

Liberty.me and StarCom

Liberty.me has one certificate that it uses for its main site (https://liberty.me) and a different one that it uses for the blogs that its members (including me) create. The root one is actually a cloudflare certificate because liberty.me uses Cloudflare’s Always Online™ and it isn’t signed by StartCom so everything is fine

The liberty.me Cloudflare certificate

The certificate used for this blog however is from StartCom:

Certificate for this blog (ombreolivier.liberty.me) and any other liberty.me blog

The certificate was issued March 22, 2016 and will expire March 22, 2018. It would be a really good idea if liberty.me found another CA (Comodo perhaps) that is not under a cloud – so that means also avoiding Symantec –  and bought a new certificate now instead of waiting another 9 months.