Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Mozilla Distrusts Certificates From WoSign, StartCom

Mozilla has decided to revoke trust in new WoSign and StartCom certificates, despite the steps taken by the companies in an effort to address the issues found by the web browser vendor.

Mozilla has decided to revoke trust in new WoSign and StartCom certificates, despite the steps taken by the companies in an effort to address the issues found by the web browser vendor.

Mozilla recently unveiled a proposal to ban certificates issued by Chinese certificate authority WoSign and its subsidiary StartCom for one year due to more than a dozen problems identified since January 2015.

The most serious issues found by Mozilla are related to backdated certificates and the fact that WoSign did not inform the browser vendor that it had acquired Israel-based StartCom.

Earlier this month, Mozilla met with representatives of StartCom and Qihoo 360, WoSign’s largest shareholder. Following the meeting, Qihoo 360 has decided to fire the WoSign CEO who approved the issuance of backdated certificates and promised to completely separate WoSign and StartCom.

Despite these and other changes, Mozilla has decided to ban new certificates from both WoSign and StartCom due to the “levels of deception demonstrated by representatives of the combined company.”

Certificates that become valid after October 21 and chain up to root certificates from WoSign and StartCom will no longer be trusted starting with Firefox 51, which is scheduled for release on November 8. The affected root certificates will be removed from Mozilla’s root store at some point after March 2017, or possibly sooner if the CAs try to backdate certificates in an effort to bypass the new restrictions.

Mozilla has also decided to no longer accept audits carried out by Ernst & Young Hong Kong, which last year failed to catch several Baseline Requirements violations in WoSign certificates.

“If you receive a certificate from one of these two CAs after October 21, 2016, your certificate will not validate in Mozilla products such as Firefox 51 and later, until these CAs provide new root certificates with different Subject Distinguished Names, and you manually import the root certificate that your certificate chains up to,” the Mozilla Security Team said in a blog post. “Consumers of your website will also have to manually import the new root certificate until it is included by default in Mozilla’s root store.”

Mozilla said the CAs can apply for inclusion of new root certificates via the normal root inclusion process after they complete a series of requirements. WoSign can re-apply after June 1, 2017, while StartCom can do so after it shows that WoSign has absolutely no control over its employees or code.

While Google and Microsoft have not made any public statements regarding the WoSign/StartCom case, Apple decided to revoke trust in WoSign certificates in iOS and OS X.

Related: Firefox to Display Error When Encountering SHA-1 Certificates

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...