Following the discovery of several major problems, Mozilla has proposed that certificates issued by Chinese certificate authority (CA) WoSign and its subsidiary StartCom be banned in Firefox for at least one year.
Mozilla has learned about more than a dozen incidents involving WoSign since January 2015. The organization has admitted that not all of them are the CA’s fault, such as a mis-issuance for an Alibaba domain that was temporarily compromised by attackers. However, some of the identified problems are WoSign’s fault and they cannot be ignored.
One of the most serious problems is related to WoSign issuing SHA-1 certificates. SHA-1 certificates are no longer considered secure and major browser vendors plan on banning them in the upcoming period.
CAs have been advised not to provide customers SHA-1 certificates after January 1, 2016, but Mozilla says WoSign created tens of such certificates and back-dated them to make it look like they were issued in December 2015.
Another major problem is related to bugs that allowed applicants to add extra arbitrary domains to a certificate. The flaws were discovered by Stephen Schrauger, who managed to obtain SSL certificates for GitHub.com and the University of Central Florida’s main domain.
Mozilla also pointed out that WoSign has apparently attempted to hide the fact that it acquired Israel-based CA StartCom. Mozilla said WoSign acquired StartCom in November 2015 and, soon after, StartCom started using WoSign infrastructure.
CAs are required to inform Mozilla if their ownership changes. WoSign representatives recently claimed they did not do so because the acquisition had not been completed and StartCom’s systems had remained the same, but Mozilla found evidence suggesting otherwise.
“The level of understanding of the certificate system by their engineers, and the level of quality control and testing exercised over changes to their systems, leaves a great deal to be desired. It does not seem they have the appropriate cultural practices to develop secure and robust software,” Mozilla said in its report.
Due to these problems, Mozilla has proposed that newly-issued certificates from WoSign and StartCom no longer be trusted by its products for a period of at least one year. The proposal is currently up for debate, but if the measure is enforced, existing WoSign certificates will not be impacted.
After one year, WoSign and StartCom may be re-admitted to the Mozilla trust program if they clean up their act and meet certain requirements. WoSign has asked Mozilla to at least continue allowing it to issue certificates in China, but the Internet company believes its Chinese users don’t have lower trustworthiness requirements.
Many believe WoSign would likely not survive if Mozilla and others ban its certificates. It’s unclear if Google and other vendors plan on taking similar measures, but Mozilla published its report to help other companies make a decision. It’s worth noting that Google revoked trust in certificates from the China Internet Network Information Center (CNNIC) last year after the discovery of serious trust issues.
