Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Microsoft to Ban WoSign, StartCom Certificates

Windows Will Not Trust New Certificates Issued by WoSign and StartCom After September 2017

Microsoft has finally announced its decision in the case of Chinese certificate authority (CA) WoSign and its subsidiary StartCom. The company has informed customers that its products will soon stop trusting new certificates issued by these CAs.

Windows Will Not Trust New Certificates Issued by WoSign and StartCom After September 2017

Microsoft has finally announced its decision in the case of Chinese certificate authority (CA) WoSign and its subsidiary StartCom. The company has informed customers that its products will soon stop trusting new certificates issued by these CAs.

Following a series of incidents and problems brought to the attention of the web browser community since January 2015, Mozilla, Apple and Google have decided to revoke trust in certificates from WoSign and StartCom.

The list of problems includes backdating certificates to bypass restrictions, issuing certificates without authorization, and misleading browser vendors about WoSign’s acquisition of StartCom and their relationship.

Microsoft has now also announced its decision regarding WoSign and StartCom certificates. Windows will continue to trust certificates issued before September 26, 2017, until they expire. However, new certificates issued by the firms after September 2017 will no longer work.

“Microsoft has concluded that the Chinese Certificate Authorities (CAs) WoSign and StartCom have failed to maintain the standards required by our Trusted Root Program,” the company said on Tuesday. “Observed unacceptable security practices include back-dating SHA-1 certificates, mis-issuances of certificates, accidental certificate revocation, duplicate certificate serial numbers, and multiple CAB Forum Baseline Requirements (BR) violations.”

Google also plans on taking drastic action against the two CAs next month. The tech giant has set up a whitelist for some Alexa Top 1M websites using certificates from WoSign and StartCom, but the whitelist will be removed starting with Chrome 61, currently scheduled for release in mid-September.

StartCom and WoSign are not the only CAs that got into trouble with web browser vendors as a result of misissued certificates. Symantec recently announced its decision to sell its certificate business to DigiCert for $950 million after Google announced that all certificates issued by the company will have to be replaced by October 2018, and new certificates would have to be issued through the infrastructure of a subordinate CA.

Advertisement. Scroll to continue reading.

Related: WoSign Changes Leadership Due to Certificate Incidents

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.