Following Mozilla’s proposal to ban its certificates for at least one year and Apple’s decision to revoke trust in its certificates, Chinese certificate authority WoSign appears to be taking serious action in hopes of obtaining forgiveness from major web browser vendors.
Mozilla met last week with representatives of StartCom and Qihoo 360, WoSign’s largest shareholder, to discuss the issues. Following the meeting, WoSign published an incident report in which it announced its decision to make some changes in leadership, operational processes and technology.
Qihoo 360 wants to completely separate WoSign and StartCom, including operations and technology, and has asked browser vendors to judge each company separately. Richard Wang, the WoSign CEO who approved the issuance of backdated certificates, which is considered the most serious problem, has been relieved of his duties.
StartCom will report directly to Qihoo 360 with Xiaosheng Tan appointed as chairman and Inigo Barreira as CEO. In addition, both companies will add all their certificates to Certificate Transparency (CT) logs.
“We completely agree that keep [sic] the global Internet security is very important for all related stakeholders including all CAs,” WoSign wrote in its incident report. “Thank you to Mozilla for its consideration of WoSign and StartCom’s current subscribers’ benefit. We appreciate that. Many customers in China find it important to use a domestic CA for purposes of security.”
The ball is now again in Mozilla’s court. The company has proposed a ban of at least one year for all new WoSign and StartCom certificates after learning of more than a dozen incidents involving the two companies, including the backdating of certificates issued after January 1, 2016.
In late September, Apple announced its intention to release security updates for iOS and OS X that would cause these products to no longer trust certificates issued by the WoSign CA Free SSL Certificate G2 intermediate CA. The company pointed out that WoSign leveraged its relationship with StartCom and Comodo to establish trust, as it does not have any root certificates in Apple’s trust store.
Google and Microsoft have yet to make any comments on this case. The companies, and Google in particular, are usually not very forgiving when it comes to misbehaving CAs.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- FDA Announces New Cybersecurity Requirements for Medical Devices
- Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months
- Unpatched Security Flaws Expose Water Pump Controllers to Remote Hacker Attacks
- 3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component
- OpenSSL 1.1.1 Nears End of Life: Security Updates Only Until September 2023
- Google Links More iOS, Android Zero-Day Exploits to Spyware Vendors
- ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
- Thousands Access Fake DDoS-for-Hire Websites Set Up by UK Police
Latest News
- FDA Announces New Cybersecurity Requirements for Medical Devices
- Report: Chinese State-Sponsored Hacking Group Highly Active
- Votiro Raises $11.5 Million to Prevent File-Borne Threats
- Lumen Technologies Hit by Two Cyberattacks
- Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
- Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months
- Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
- Anti-Bot Software Firm DataDome Banks $42M Financing
