Connect with us

Hi, what are you looking for?



Mozilla Could Ban Certificates From Chinese CA WoSign

Following the discovery of several major problems, Mozilla has proposed that certificates issued by Chinese certificate authority (CA) WoSign and its subsidiary StartCom be banned in Firefox for at least one year.

Following the discovery of several major problems, Mozilla has proposed that certificates issued by Chinese certificate authority (CA) WoSign and its subsidiary StartCom be banned in Firefox for at least one year.

Mozilla has learned about more than a dozen incidents involving WoSign since January 2015. The organization has admitted that not all of them are the CA’s fault, such as a mis-issuance for an Alibaba domain that was temporarily compromised by attackers. However, some of the identified problems are WoSign’s fault and they cannot be ignored.

One of the most serious problems is related to WoSign issuing SHA-1 certificates. SHA-1 certificates are no longer considered secure and major browser vendors plan on banning them in the upcoming period.

CAs have been advised not to provide customers SHA-1 certificates after January 1, 2016, but Mozilla says WoSign created tens of such certificates and back-dated them to make it look like they were issued in December 2015.

Another major problem is related to bugs that allowed applicants to add extra arbitrary domains to a certificate. The flaws were discovered by Stephen Schrauger, who managed to obtain SSL certificates for and the University of Central Florida’s main domain.

Mozilla also pointed out that WoSign has apparently attempted to hide the fact that it acquired Israel-based CA StartCom. Mozilla said WoSign acquired StartCom in November 2015 and, soon after, StartCom started using WoSign infrastructure.

CAs are required to inform Mozilla if their ownership changes. WoSign representatives recently claimed they did not do so because the acquisition had not been completed and StartCom’s systems had remained the same, but Mozilla found evidence suggesting otherwise.

Advertisement. Scroll to continue reading.

“The level of understanding of the certificate system by their engineers, and the level of quality control and testing exercised over changes to their systems, leaves a great deal to be desired. It does not seem they have the appropriate cultural practices to develop secure and robust software,” Mozilla said in its report.

Due to these problems, Mozilla has proposed that newly-issued certificates from WoSign and StartCom no longer be trusted by its products for a period of at least one year. The proposal is currently up for debate, but if the measure is enforced, existing WoSign certificates will not be impacted.

After one year, WoSign and StartCom may be re-admitted to the Mozilla trust program if they clean up their act and meet certain requirements. WoSign has asked Mozilla to at least continue allowing it to issue certificates in China, but the Internet company believes its Chinese users don’t have lower trustworthiness requirements.

Many believe WoSign would likely not survive if Mozilla and others ban its certificates. It’s unclear if Google and other vendors plan on taking similar measures, but Mozilla published its report to help other companies make a decision. It’s worth noting that Google revoked trust in certificates from the China Internet Network Information Center (CNNIC) last year after the discovery of serious trust issues.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...