More
Certs of WoSign and StartCOM no longer trusted by Mozilla browser and Apple

Certs of WoSign and StartCOM no longer trusted by Mozilla browser and Apple

04-10-2016 13:30:40

WoSign – one of the largest digital certificate provider in China, the owner of Israeli certificate authority (CA) StartCom – recently faced problems with Mozilla. It has all started after various security incidents, including issue of SSL/TLS certificates for primary GitHub domains to subdomain owner.

WoSign drew attention for the first time when Stephen Schrauger, a web developer for the University of Central Florida, managed to generate an SSL certificate for github.io by controlling just a subdomain schrauger.github.com. Schrauger passed validation for fun, and getting the certificate for the domain .io comments with lightness: "I did not add (certificate) www.github.com because I forgot."

Mozilla also accuses the company of buying StartCom, without telling anyone and without disclosing the change of ownership.

All this made Apple to kick WoSign CA Free SSL Certificate out of its trust program too.

Finally Mozilla decided new certificates from WoSign and StartCOM would no longer be trusted in their browser. However existing certificates will still be trusted. The CAs can reapply for browser inclusion in a year under certain conditions. This theoretically allows WoSign to create backdated certificates, however Mozilla announced that if they see any evidence of this they will immediately distrust all Wosign/StartCOM certificates.

One must admit - as Schrauger said -  domain validation isn't as simple as one may think, and WoSign isn't the first to have a problem. Hopefully situations like this will not, however, occurred.

Recent Posts

European Cyber Security Month 2018
27-09-2018 10:46:21

The European Union Agency for Network and Information Security (ENISA), which is the center of knowledge about cyber security in Europe, organizes as every year in October the European Cyber Security Month. The campaign is starting in a few days. What is its purpose and how can you participate in it?

European Cyber Security Month 2018
GDPR and SSL certificate. Is encryption necessary for compliance with the GDPR?
18-05-2018 15:47:40

General Data Protection Regulation (GDPR) is a 99-article regulation meant to protect the private data of Europeans in IT systems. Announced in 2016, covers a broad variety of topics and will go into effect as a requirement on May 25, 2018. GDPR applies to any company doing business in Europe even if it is located elsewhere.

GDPR and SSL certificate. Is encryption necessary for compliance with the GDPR?
Deadlines for replacing Symantec Group certificates
08-12-2017 14:11:50

In November this year we wrote about the need to replace SSL certificates issued by Symantec Group. Find out the dates when you need to re-issue your certificates.

Deadlines for replacing Symantec Group certificates
more posts