Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



Mozilla Distrusts Certificates From WoSign, StartCom

Mozilla has decided to revoke trust in new WoSign and StartCom certificates, despite the steps taken by the companies in an effort to address the issues found by the web browser vendor.

Mozilla has decided to revoke trust in new WoSign and StartCom certificates, despite the steps taken by the companies in an effort to address the issues found by the web browser vendor.

Mozilla recently unveiled a proposal to ban certificates issued by Chinese certificate authority WoSign and its subsidiary StartCom for one year due to more than a dozen problems identified since January 2015.

The most serious issues found by Mozilla are related to backdated certificates and the fact that WoSign did not inform the browser vendor that it had acquired Israel-based StartCom.

Earlier this month, Mozilla met with representatives of StartCom and Qihoo 360, WoSign’s largest shareholder. Following the meeting, Qihoo 360 has decided to fire the WoSign CEO who approved the issuance of backdated certificates and promised to completely separate WoSign and StartCom.

Despite these and other changes, Mozilla has decided to ban new certificates from both WoSign and StartCom due to the “levels of deception demonstrated by representatives of the combined company.”

Certificates that become valid after October 21 and chain up to root certificates from WoSign and StartCom will no longer be trusted starting with Firefox 51, which is scheduled for release on November 8. The affected root certificates will be removed from Mozilla’s root store at some point after March 2017, or possibly sooner if the CAs try to backdate certificates in an effort to bypass the new restrictions.

Mozilla has also decided to no longer accept audits carried out by Ernst & Young Hong Kong, which last year failed to catch several Baseline Requirements violations in WoSign certificates.

“If you receive a certificate from one of these two CAs after October 21, 2016, your certificate will not validate in Mozilla products such as Firefox 51 and later, until these CAs provide new root certificates with different Subject Distinguished Names, and you manually import the root certificate that your certificate chains up to,” the Mozilla Security Team said in a blog post. “Consumers of your website will also have to manually import the new root certificate until it is included by default in Mozilla’s root store.”

Mozilla said the CAs can apply for inclusion of new root certificates via the normal root inclusion process after they complete a series of requirements. WoSign can re-apply after June 1, 2017, while StartCom can do so after it shows that WoSign has absolutely no control over its employees or code.

While Google and Microsoft have not made any public statements regarding the WoSign/StartCom case, Apple decided to revoke trust in WoSign certificates in iOS and OS X.

Related: Firefox to Display Error When Encountering SHA-1 Certificates

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Vulnerability researchers at Google Project Zero are calling attention to the ongoing “patch-gap” problem in the Android ecosystem, warning that downstream vendors continue to...