Apple and Others Revoke All Security Certificates from Chinese Provider
In recent days, several major tech companies have formally disavowed and discontinued use of a Chinese security certificate provider, WoSign. The abandonments began when Mozilla announced that WoSign was not following best practices in issuing its certificates. The primary concern lies in the fact that WoSign was back-dating certain website certificates to circumvent checks that prevent expired certs from working. After Mozilla’s announcement, Apple quickly also said that they would distrust and ban all WoSign certificates. Not long after, Google followed by announcing the search giant would also distrust WoSign and a related firm beginning immediately.
The result of all this action is that the web will be a slightly safer place. Invalid security certificates are no joke; it’s essential that all parties involved can trust the validity of a website’s security. What is a certificate, though? Perhaps while browsing websites in Safari on macOS, you’ve noticed that many sites default to HTTPS instead of HTTP. You may already be aware that this is a sign that SSL security is active, encrypting the data exchanged between your computer and the web server. However, to work properly, SSL requires security certificates. Understanding what these are is essential for safe browsing.
Just enabling SSL doesn’t automatically mean you can trust a website. That’s why sites using encryption turn to third party Certificate Authorities — like WoSign — to verify their identity. This third-party verification is known as a certificate. Essentially, this tells your computer that “Yes, this person is who they say they are,” proving you aren’t currently at risk of a “man in the middle” attack. Apple, Google, and others keep a database of trustworthy certificate providers. If you visit a website with an invalid certificate or no certificate at all over HTTPS, your browser will usually warn you.
Perhaps you’ve even seen those warnings before. It’s essential to avoid communicating sensitive data over insecure connections, especially when you’ve seen a certificate warning. Without a valid certificate, there’s no way to know with whom you’re communicating. Therefore, Apple’s steps to distrust WoSign certificates is a solid move for user safety. Obviously, an expired certificate is a major issue. Because WoSign was continuing to verify these as legitimate, it calls into question everything they’ve issued. The swift action taken this month ensures these actions don’t harm users.