Connect with us

Hi, what are you looking for?



Mozilla Distrusts Certificates From WoSign, StartCom

Mozilla has decided to revoke trust in new WoSign and StartCom certificates, despite the steps taken by the companies in an effort to address the issues found by the web browser vendor.

Mozilla has decided to revoke trust in new WoSign and StartCom certificates, despite the steps taken by the companies in an effort to address the issues found by the web browser vendor.

Mozilla recently unveiled a proposal to ban certificates issued by Chinese certificate authority WoSign and its subsidiary StartCom for one year due to more than a dozen problems identified since January 2015.

The most serious issues found by Mozilla are related to backdated certificates and the fact that WoSign did not inform the browser vendor that it had acquired Israel-based StartCom.

Earlier this month, Mozilla met with representatives of StartCom and Qihoo 360, WoSign’s largest shareholder. Following the meeting, Qihoo 360 has decided to fire the WoSign CEO who approved the issuance of backdated certificates and promised to completely separate WoSign and StartCom.

Despite these and other changes, Mozilla has decided to ban new certificates from both WoSign and StartCom due to the “levels of deception demonstrated by representatives of the combined company.”

Certificates that become valid after October 21 and chain up to root certificates from WoSign and StartCom will no longer be trusted starting with Firefox 51, which is scheduled for release on November 8. The affected root certificates will be removed from Mozilla’s root store at some point after March 2017, or possibly sooner if the CAs try to backdate certificates in an effort to bypass the new restrictions.

Mozilla has also decided to no longer accept audits carried out by Ernst & Young Hong Kong, which last year failed to catch several Baseline Requirements violations in WoSign certificates.

“If you receive a certificate from one of these two CAs after October 21, 2016, your certificate will not validate in Mozilla products such as Firefox 51 and later, until these CAs provide new root certificates with different Subject Distinguished Names, and you manually import the root certificate that your certificate chains up to,” the Mozilla Security Team said in a blog post. “Consumers of your website will also have to manually import the new root certificate until it is included by default in Mozilla’s root store.”

Advertisement. Scroll to continue reading.

Mozilla said the CAs can apply for inclusion of new root certificates via the normal root inclusion process after they complete a series of requirements. WoSign can re-apply after June 1, 2017, while StartCom can do so after it shows that WoSign has absolutely no control over its employees or code.

While Google and Microsoft have not made any public statements regarding the WoSign/StartCom case, Apple decided to revoke trust in WoSign certificates in iOS and OS X.

Related: Firefox to Display Error When Encountering SHA-1 Certificates

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Web scraping is a sensitive issue. Should a third party be allowed to visit a website and use automated tools to gather and store...

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...