Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

WoSign Changes Leadership Due to Certificate Incidents

Following Mozilla’s proposal to ban its certificates for at least one year and Apple’s decision to revoke trust in its certificates, Chinese certificate authority WoSign appears to be taking serious action in hopes of obtaining forgiveness from major web browser vendors.

Following Mozilla’s proposal to ban its certificates for at least one year and Apple’s decision to revoke trust in its certificates, Chinese certificate authority WoSign appears to be taking serious action in hopes of obtaining forgiveness from major web browser vendors.

Mozilla met last week with representatives of StartCom and Qihoo 360, WoSign’s largest shareholder, to discuss the issues. Following the meeting, WoSign published an incident report in which it announced its decision to make some changes in leadership, operational processes and technology.

Qihoo 360 wants to completely separate WoSign and StartCom, including operations and technology, and has asked browser vendors to judge each company separately. Richard Wang, the WoSign CEO who approved the issuance of backdated certificates, which is considered the most serious problem, has been relieved of his duties.

StartCom will report directly to Qihoo 360 with Xiaosheng Tan appointed as chairman and Inigo Barreira as CEO. In addition, both companies will add all their certificates to Certificate Transparency (CT) logs.

“We completely agree that keep [sic] the global Internet security is very important for all related stakeholders including all CAs,” WoSign wrote in its incident report. “Thank you to Mozilla for its consideration of WoSign and StartCom’s current subscribers’ benefit. We appreciate that. Many customers in China find it important to use a domestic CA for purposes of security.”

The ball is now again in Mozilla’s court. The company has proposed a ban of at least one year for all new WoSign and StartCom certificates after learning of more than a dozen incidents involving the two companies, including the backdating of certificates issued after January 1, 2016.

In late September, Apple announced its intention to release security updates for iOS and OS X that would cause these products to no longer trust certificates issued by the WoSign CA Free SSL Certificate G2 intermediate CA. The company pointed out that WoSign leveraged its relationship with StartCom and Comodo to establish trust, as it does not have any root certificates in Apple’s trust store.

Google and Microsoft have yet to make any comments on this case. The companies, and Google in particular, are usually not very forgiving when it comes to misbehaving CAs.

Advertisement. Scroll to continue reading.
Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Compliance

Web scraping is a sensitive issue. Should a third party be allowed to visit a website and use automated tools to gather and store...

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...