Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Mozilla Could Ban Certificates From Chinese CA WoSign

Following the discovery of several major problems, Mozilla has proposed that certificates issued by Chinese certificate authority (CA) WoSign and its subsidiary StartCom be banned in Firefox for at least one year.

Following the discovery of several major problems, Mozilla has proposed that certificates issued by Chinese certificate authority (CA) WoSign and its subsidiary StartCom be banned in Firefox for at least one year.

Mozilla has learned about more than a dozen incidents involving WoSign since January 2015. The organization has admitted that not all of them are the CA’s fault, such as a mis-issuance for an Alibaba domain that was temporarily compromised by attackers. However, some of the identified problems are WoSign’s fault and they cannot be ignored.

One of the most serious problems is related to WoSign issuing SHA-1 certificates. SHA-1 certificates are no longer considered secure and major browser vendors plan on banning them in the upcoming period.

CAs have been advised not to provide customers SHA-1 certificates after January 1, 2016, but Mozilla says WoSign created tens of such certificates and back-dated them to make it look like they were issued in December 2015.

Another major problem is related to bugs that allowed applicants to add extra arbitrary domains to a certificate. The flaws were discovered by Stephen Schrauger, who managed to obtain SSL certificates for GitHub.com and the University of Central Florida’s main domain.

Mozilla also pointed out that WoSign has apparently attempted to hide the fact that it acquired Israel-based CA StartCom. Mozilla said WoSign acquired StartCom in November 2015 and, soon after, StartCom started using WoSign infrastructure.

Advertisement. Scroll to continue reading.

CAs are required to inform Mozilla if their ownership changes. WoSign representatives recently claimed they did not do so because the acquisition had not been completed and StartCom’s systems had remained the same, but Mozilla found evidence suggesting otherwise.

“The level of understanding of the certificate system by their engineers, and the level of quality control and testing exercised over changes to their systems, leaves a great deal to be desired. It does not seem they have the appropriate cultural practices to develop secure and robust software,” Mozilla said in its report.

Due to these problems, Mozilla has proposed that newly-issued certificates from WoSign and StartCom no longer be trusted by its products for a period of at least one year. The proposal is currently up for debate, but if the measure is enforced, existing WoSign certificates will not be impacted.

After one year, WoSign and StartCom may be re-admitted to the Mozilla trust program if they clean up their act and meet certain requirements. WoSign has asked Mozilla to at least continue allowing it to issue certificates in China, but the Internet company believes its Chinese users don’t have lower trustworthiness requirements.

Many believe WoSign would likely not survive if Mozilla and others ban its certificates. It’s unclear if Google and other vendors plan on taking similar measures, but Mozilla published its report to help other companies make a decision. It’s worth noting that Google revoked trust in certificates from the China Internet Network Information Center (CNNIC) last year after the discovery of serious trust issues.

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.