Security Experts:

Mozilla to Completely Ban WoSign, StartCom Certificates in Firefox 58

Mozilla this week announced plans to completely remove trust in the digital certificates issued by Chinese certificate authority WoSign and its subsidiary StartCom starting with Firefox 58. 

The move follows the company’s previously laid out plans to distrust these certificates after over a dozen incidents and issues were brought to the attention of the web browser community since January 2015. 

Some of the reported problems include the issuance of certificates without authorization and the backdating of certificates to bypass restrictions. Additionally, the two companies weren’t completely honest to browser vendors about WoSign's acquisition of StartCom and their relationship.

As a result, leading browser vendors and tech companies, including Apple, Google, Microsoft, and Mozilla, decided to distrust certificates issued by the two companies. Microsoft and Google have already announced plans to completely ban WoSign and StartCom certificates in their products. 

After initially distrusting these certificates for only one year, Mozilla has finally decided to follow Microsoft and Google and revealed this week that Firefox 58 will completely remove trust in them. 

Starting with Firefox 51, Mozilla no longer validates new certificates chaining to the root certificates owned WoSign and StartCom. The company now plans to completely remove these root certificates from Mozilla’s Root Store.

“We plan to release the relevant changes to Network Security Services (NSS) in November, and then the changes will be picked up in Firefox 58, due for release in January 2018,” the company announced. 

Mozilla also warns that some website owners would need to migrate to different root certificates. Affected are websites that use certificates chaining up root certificates such as CA 沃通根证书, Certification Authority of WoSign, Certification Authority of WoSign G2, CA WoSign ECC Root, StartCom Certification Authority, and StartCom Certification Authority G2. 

In October last year, after Mozilla and Apple revealed plans to take action against its certificates, WoSign decided to make some changes in leadership, operational processes and technology. Qihoo 360, WoSign's largest shareholder, said it was looking to completely separate WoSign and StartCom and asked browser vendors to judge each company separately.

Related: Microsoft to Ban WoSign, StartCom Certificates

Related: Google to Completely Ban WoSign, StartCom Certificates in Chrome 61

view counter