samspin wrote:I was hoping to continue using my Startcom cert that I had signed just before the cut-off date but then Google Chrome "upped the game" and cut off any certificates for sites not in the top 1 million alexa rank.
This leapt out at me, because it might explain why one of my sites wasn't having a problem, but another was. Do you happen to have a source? I was mystified, because the users on my main site (crazyguyonabike.com) were not having any issues, but another newer website (topicwise.com) was getting the "untrusted" error on Chrome 57. The weird thing is, they both use the exact same StartSSL cert. I put all my domains into one cert for ease of configuration, and it also makes SNI (Server Name Indication) work even on older browsers. The Alexa rank would explain the difference, because crazyguyonabike.com appears to be around the 200,000 mark globally, whereas topicwise is more like 4,500,000. So if you have any links to this, I'd be interested...
Yes, there is a filing about this for Chromium's source code (as I'm sure you're aware, Chrome is based off of Chromium) here: https://codereview.chromium.org/2613833002
As well as a bug filing where the decision appears to have been documented: https://bugs.chromium.org/p/chromium/is ... ?id=685826
These appear to show that Google intend on phasing out trust for all certs for Startcom/Wosign completely, and cutting to the top 1 million mark was the next ratchet up.
I had the same issue, planetvampire.com would work but no other sites would, even though they all used the same end entity certificate via SANs. Planetvampire.com was a SAN name and worked fine, but the default CN name was *.samspin.net, yet anything under samspin.net was blocked as untrusted. Ah yes, that's another motive I had for wanting to keep one cert for as many as possible: supporting non-SNI browsers for as long as possible. I have to say, I do kinda see it from both sides here: browser vendors have to give out the message that breaking the rules is intolerable, attempting to cover up only makes things worse. But for us customers who rely on small firms like Startcom, which had grown in it's own right long before Wosign came to town, it really does make life difficult. Having said that, I did notice that Google is taking a much harsher line than Mozilla even in their initial announcement: https://security.googleblog.com/2016/10 ... rtcom.html
"In subsequent Chrome releases, these exceptions will be reduced and ultimately removed, culminating in the full distrust of these CAs. This staged approach is solely to ensure sites have the opportunity to transition to other Certificate Authorities that are still trusted in Google Chrome, thus minimizing disruption to users of these sites." I did try to keep an eye on things after that annoucement, but the outside-top 1 million blockage hit me in the teeth.