Security Experts:

Mozilla Distrusts Certificates From WoSign, StartCom

Mozilla has decided to revoke trust in new WoSign and StartCom certificates, despite the steps taken by the companies in an effort to address the issues found by the web browser vendor.

Mozilla recently unveiled a proposal to ban certificates issued by Chinese certificate authority WoSign and its subsidiary StartCom for one year due to more than a dozen problems identified since January 2015.

The most serious issues found by Mozilla are related to backdated certificates and the fact that WoSign did not inform the browser vendor that it had acquired Israel-based StartCom.

Earlier this month, Mozilla met with representatives of StartCom and Qihoo 360, WoSign’s largest shareholder. Following the meeting, Qihoo 360 has decided to fire the WoSign CEO who approved the issuance of backdated certificates and promised to completely separate WoSign and StartCom.

Despite these and other changes, Mozilla has decided to ban new certificates from both WoSign and StartCom due to the “levels of deception demonstrated by representatives of the combined company.”

Certificates that become valid after October 21 and chain up to root certificates from WoSign and StartCom will no longer be trusted starting with Firefox 51, which is scheduled for release on November 8. The affected root certificates will be removed from Mozilla’s root store at some point after March 2017, or possibly sooner if the CAs try to backdate certificates in an effort to bypass the new restrictions.

Mozilla has also decided to no longer accept audits carried out by Ernst & Young Hong Kong, which last year failed to catch several Baseline Requirements violations in WoSign certificates.

“If you receive a certificate from one of these two CAs after October 21, 2016, your certificate will not validate in Mozilla products such as Firefox 51 and later, until these CAs provide new root certificates with different Subject Distinguished Names, and you manually import the root certificate that your certificate chains up to,” the Mozilla Security Team said in a blog post. “Consumers of your website will also have to manually import the new root certificate until it is included by default in Mozilla’s root store.”

Mozilla said the CAs can apply for inclusion of new root certificates via the normal root inclusion process after they complete a series of requirements. WoSign can re-apply after June 1, 2017, while StartCom can do so after it shows that WoSign has absolutely no control over its employees or code.

While Google and Microsoft have not made any public statements regarding the WoSign/StartCom case, Apple decided to revoke trust in WoSign certificates in iOS and OS X.

Related: Firefox to Display Error When Encountering SHA-1 Certificates

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.