Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Apple to Revoke Trust in WoSign Certificates

After Mozilla announced that it might ban new certificates issued by Chinese certificate authority (CA) WoSign and its subsidiary StartCom for at least one year, Apple has decided to take measures.

After Mozilla announced that it might ban new certificates issued by Chinese certificate authority (CA) WoSign and its subsidiary StartCom for at least one year, Apple has decided to take measures.

The tech giant informed customers on Friday that it will soon release security updates to revoke trust in the WoSign CA Free SSL Certificate G2 intermediate CA in iOS and OS X, blaming the decision on “multiple control failures in their certificate issuance processes.”

The company pointed out that WoSign root certificates are not in the iOS or macOS trust stores, but the intermediate CA used its ties to StartCom and Comodo to acquire trust in Apple products.

Existing certificates that have been added to Certificate Transparency logs until September 19 will continue to be trusted until they expire or get revoked. However, Apple could at any time decide to untrust certificates from this intermediate CA.

“As the investigation progresses, we will take further action on WoSign/StartCom trust anchors in Apple products as needed to protect users,” Apple said.

Following an investigation, Mozilla published a report detailing more than a dozen incidents involving WoSign. The Firefox developer is displeased that WoSign issued SHA-1 certificates after the January 1, 2016, deadline and backdated them so that they would still be accepted by web browsers.

Mozilla also pointed to some bugs that allowed applicants to add extra arbitrary domains to a certificate – this was exploited by an expert to show that he could obtain SSL certificates for GitHub.com. Another problem is that CAs must inform Mozilla if their ownership changes, but StartCom failed to inform the organization that it had been acquired by WoSign.

Due to these issues, some Mozilla representatives proposed that new certificates from WoSign and StartCom be banned for at least one year. The penalty for the CAs is still being discussed, but a decision is expected to be announced after a face-to-face meeting on Tuesday between representatives of Mozilla, StartCom and Qihoo 360, WoSign’s largest shareholder.

Advertisement. Scroll to continue reading.

Google and Microsoft have yet to announce if they plan on taking any action against WoSign and StartCom.

Related Reading: Apple Issues Emergency Fix for iOS Zero-Days

Related Reading: Apple Wants All iOS Apps to Use HTTPS by 2017

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Compliance

Web scraping is a sensitive issue. Should a third party be allowed to visit a website and use automated tools to gather and store...

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...