More
Certs of WoSign and StartCOM no longer trusted by Mozilla browser and Apple

Certs of WoSign and StartCOM no longer trusted by Mozilla browser and Apple

04-10-2016 13:30:40

WoSign – one of the largest digital certificate provider in China, the owner of Israeli certificate authority (CA) StartCom – recently faced problems with Mozilla. It has all started after various security incidents, including issue of SSL/TLS certificates for primary GitHub domains to subdomain owner.

WoSign drew attention for the first time when Stephen Schrauger, a web developer for the University of Central Florida, managed to generate an SSL certificate for github.io by controlling just a subdomain schrauger.github.com. Schrauger passed validation for fun, and getting the certificate for the domain .io comments with lightness: "I did not add (certificate) www.github.com because I forgot."

Mozilla also accuses the company of buying StartCom, without telling anyone and without disclosing the change of ownership.

All this made Apple to kick WoSign CA Free SSL Certificate out of its trust program too.

Finally Mozilla decided new certificates from WoSign and StartCOM would no longer be trusted in their browser. However existing certificates will still be trusted. The CAs can reapply for browser inclusion in a year under certain conditions. This theoretically allows WoSign to create backdated certificates, however Mozilla announced that if they see any evidence of this they will immediately distrust all Wosign/StartCOM certificates.

One must admit - as Schrauger said -  domain validation isn't as simple as one may think, and WoSign isn't the first to have a problem. Hopefully situations like this will not, however, occurred.

Recent Posts

Comodo / Sectigo is changing its Root CAs
28-12-2018 11:23:52

Sectigo, formerly known as Comodo CA, is entering the next phase of its transition: it’s replacing Comodo CA roots with USERTrust roots on January 14, 2019. Why it happens and what it will mean to Sectigo customers?

Comodo / Sectigo is changing its Root CAs
Comodo is now Sectigo
09-11-2018 12:54:30

According to previous announcements, a year after the acquisition of Comodo Group by Francisco Partners, on November 1 Comodo CA announced that from now on it is changing its brand to Sectigo [pronounced. sec-tee-go]. The goal of rebranding is consistency in company communication and better dedication to what Comodo is doing now.

Comodo is now Sectigo
European Cyber Security Month 2018
27-09-2018 10:46:21

The European Union Agency for Network and Information Security (ENISA), which is the center of knowledge about cyber security in Europe, organizes as every year in October the European Cyber Security Month. The campaign is starting in a few days. What is its purpose and how can you participate in it?

European Cyber Security Month 2018
more posts