The board of directors of China-based certificate authority StartCom announced on Friday that it has decided to shut down the company following the decision of major browser vendors to ban its certificates.
StartCom is a subsidiary of WoSign, a certificate authority (CA) owned by Chinese cybersecurity firm Qihoo 360. In September 2016, Mozilla informed the community of more than a dozen incidents involving WoSign and StartCom, including misissuance of certificates and attempting to hide the fact that WoSign had acquired StartCom in November 2015.
Shortly after, WoSign started making changes to leadership, operational processes and technology. However, all the major browser vendors – Apple, Microsoft, Google and Mozilla – announced in the following months their decision to ban WoSign and StartCom certificates.
StartCom has been having problems with getting reincluded in certificate trust stores, which is why its board decided to shut down the company. StartCom will stop selling certificates in January 1, 2018, and it will continue to maintain its Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) services for another two years. In 2020, the company will eliminate its three root pairs.
“Yes, of course we will still contribute to Community and focus on security research,” said Xiaosheng Tan, chairman of StartCom’s board and CSO of Qihoo 360. “During the last ten years, the 360 security research teams have discovered hundreds of vulnerabilities in the major software companies and earned many acknowledgments in the world. Qihoo 360 and the PKI community share the same goal, which is making the internet a better place.”
As for WoSign, the company is working on getting re-included into trust stores. Earlier this year, its source code and infrastructure were analyzed by Germany-based Cure53 over a period of 40 days. The audit led to the discovery of 22 issues, but a majority of them were not actual vulnerabilities and Cure53 concluded that WoSign had made security a priority.
Mozilla will completely ban WoSign and StartCom certificates starting with Firefox 58, scheduled for release in January next year. Google did so in September with the release of Chrome 61. Microsoft also stopped trusting certificates issued by the companies after September 2017.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
Latest News
- Consolidate Vendors and Products for Better Security
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
