Chrome 57 now reports the big scary "Your connection is not private" message for most StartCom or WoSign sites. This includes, "Attackers might be trying to steal your information," with the code NET::ERR_CERT_AUTHORITY_INVALID.

Even if users click Advanced→Proceed... to continue anyway, any cross-domain StartCom/WoSign requests will simply fail with net::ERR_INSECURE_RESPONSE (status 0).

In Chrome 56, this only applied to certificates issued after Oct 21, 2016, but starting in Chrome 57, it applies to all sites that are not part of the Alexa 1M, regardless of when the certificate was issued.

Unfortunately, it's not part of the Chrome release notes. The best resource I found on the issue was at https://forums.whirlpool.net.au/archive/2605051. It refers to this commit:

    commit	e719fc626a3b9a528bf226b704785bcb24d07868	
    author	Ryan Sleevi <[email protected]>	Fri Jan 27 21:14:49 2017
    committer	Ryan Sleevi <[email protected]>	Fri Jan 27 21:14:49 2017
    Restrict the set of WoSign/StartCom certs to the Alexa Top 1M
    Restrict the set of domains for which WoSign/StartCom certificates
    are trusted to the set of domains intersecting the Alexa Top 1M
    whose certificates are unexpired and unrevoked.
    BUG=685826

If you missed all that, https://wiki.mozilla.org/CA:WoSign_Issues enumerates the issues, and https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html summarizes it at a high level.

    [1] https://news.ycombinator.com/item?id=12389573
    [2] https://news.ycombinator.com/item?id=12444590
    [3] https://news.ycombinator.com/item?id=12617659
    [4] https://news.ycombinator.com/item?id=12787029
    [5] https://news.ycombinator.com/item?id=12841860