
Chrome 57 distrusts most StartSSL certificates - alanfranzoni
http://forums.whirlpool.net.au/archive/2605051
======
jsiepkes
The issue is that Google did not communicate this properly.

The only communication about StartSSL is here:
[https://security.googleblog.com/2016/10/distrusting-
wosign-a...](https://security.googleblog.com/2016/10/distrusting-wosign-and-
startcom.html?m=1) which says:

\----8<\------ Beginning with Chrome 56, certificates issued by WoSign and
StartCom after October 21, 2016 00:00:00 UTC will not be trusted. Certificates
issued before this date may continue to be trusted, for a time, if they comply
with the Certificate Transparency in Chrome policy or are issued to a limited
set of domains known to be customers of WoSign and StartCom. \---8<\-----

Apparently "for a time" means Chrome 57 without any warning. Which I think is
way too careless for dealing with such matters.

------
DomBlack
We spent a good hour or two when Chrome 56 came out trying to work out why our
.eu domain didn't work but the .com did. Even though it was the same startssl
cert on the same IP. Turned out our .eu wasn't popular enough to remain
allowed even though it was our primary domain up until last year.

I had read the original blog post but my original understanding was that
existing certificates would remain trusted and simply newer ones would not be.
Hidden in the paragraph was the parts out then staring to distrust existing
certificates. Very poor communication from Google

------
TazeTSchnitzel
I disabled that CA in Firefox a while ago, and it occasionally prevents me
visiting a site, it's quite widely used. Wonder if that'll become a common
experience for Chrome users.

------
cridenour
As do I.

