Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

WoSign Changes Leadership Due to Certificate Incidents

Following Mozilla’s proposal to ban its certificates for at least one year and Apple’s decision to revoke trust in its certificates, Chinese certificate authority WoSign appears to be taking serious action in hopes of obtaining forgiveness from major web browser vendors.

Following Mozilla’s proposal to ban its certificates for at least one year and Apple’s decision to revoke trust in its certificates, Chinese certificate authority WoSign appears to be taking serious action in hopes of obtaining forgiveness from major web browser vendors.

Mozilla met last week with representatives of StartCom and Qihoo 360, WoSign’s largest shareholder, to discuss the issues. Following the meeting, WoSign published an incident report in which it announced its decision to make some changes in leadership, operational processes and technology.

Qihoo 360 wants to completely separate WoSign and StartCom, including operations and technology, and has asked browser vendors to judge each company separately. Richard Wang, the WoSign CEO who approved the issuance of backdated certificates, which is considered the most serious problem, has been relieved of his duties.

StartCom will report directly to Qihoo 360 with Xiaosheng Tan appointed as chairman and Inigo Barreira as CEO. In addition, both companies will add all their certificates to Certificate Transparency (CT) logs.

“We completely agree that keep [sic] the global Internet security is very important for all related stakeholders including all CAs,” WoSign wrote in its incident report. “Thank you to Mozilla for its consideration of WoSign and StartCom’s current subscribers’ benefit. We appreciate that. Many customers in China find it important to use a domestic CA for purposes of security.”

The ball is now again in Mozilla’s court. The company has proposed a ban of at least one year for all new WoSign and StartCom certificates after learning of more than a dozen incidents involving the two companies, including the backdating of certificates issued after January 1, 2016.

In late September, Apple announced its intention to release security updates for iOS and OS X that would cause these products to no longer trust certificates issued by the WoSign CA Free SSL Certificate G2 intermediate CA. The company pointed out that WoSign leveraged its relationship with StartCom and Comodo to establish trust, as it does not have any root certificates in Apple’s trust store.

Google and Microsoft have yet to make any comments on this case. The companies, and Google in particular, are usually not very forgiving when it comes to misbehaving CAs.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...