Security Experts:

StartCom CA to Shut Down After Ban by Browser Vendors

The board of directors of China-based certificate authority StartCom announced on Friday that it has decided to shut down the company following the decision of major browser vendors to ban its certificates.

StartCom is a subsidiary of WoSign, a certificate authority (CA) owned by Chinese cybersecurity firm Qihoo 360. In September 2016, Mozilla informed the community of more than a dozen incidents involving WoSign and StartCom, including misissuance of certificates and attempting to hide the fact that WoSign had acquired StartCom in November 2015.

Shortly after, WoSign started making changes to leadership, operational processes and technology. However, all the major browser vendors – Apple, Microsoft, Google and Mozilla – announced in the following months their decision to ban WoSign and StartCom certificates.

StartCom has been having problems with getting reincluded in certificate trust stores, which is why its board decided to shut down the company. StartCom will stop selling certificates in January 1, 2018, and it will continue to maintain its Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) services for another two years. In 2020, the company will eliminate its three root pairs.

“Yes, of course we will still contribute to Community and focus on security research,” said Xiaosheng Tan, chairman of StartCom’s board and CSO of Qihoo 360. “During the last ten years, the 360 security research teams have discovered hundreds of vulnerabilities in the major software companies and earned many acknowledgments in the world. Qihoo 360 and the PKI community share the same goal, which is making the internet a better place.”

As for WoSign, the company is working on getting re-included into trust stores. Earlier this year, its source code and infrastructure were analyzed by Germany-based Cure53 over a period of 40 days. The audit led to the discovery of 22 issues, but a majority of them were not actual vulnerabilities and Cure53 concluded that WoSign had made security a priority.

Mozilla will completely ban WoSign and StartCom certificates starting with Firefox 58, scheduled for release in January next year. Google did so in September with the release of Chrome 61. Microsoft also stopped trusting certificates issued by the companies after September 2017.

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.