Heads roll as Qihoo 360 moves to end WoSign, StartCom certificate row

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Two CAs get new bosses, operations to be split
After being pinged by Mozilla for issuing backdated SHA-1 certificates, Chinese certificate authority WoSign's owner has put the cleaners through the management of WoSign and StartCom.

Mozilla put WoSign and StartCom on notice at the end of September.

As part of its response, the company has posted around 200,000 certificates with the Google transparency log server as well as on its own CT log server, covering everything issued in 2015 and 2016, with a promise to expand that to “all certificates past and present”.

In this discussion thread, Bugzilla lead developer Gervase Markham explains that people from WoSign's majority shareholder Qihoo 360 and StartCom met with Mozilla representatives last Tuesday in London.

WoSign's full response is here (PDF). In it, as summarised in the mailing list discussion by StartCom founder Eddy Nigg, the company promises to:

  • Separate the WoSign and StartCom businesses, so StartCom will report directly to Qihoo 360;
  • Qihoo 360's chief security officer Xiaosheng Tan will be appointed chairman of StartCom, StartCom Europe's general manager Inigo Barreira is elevated to CEO of the company, and WoSign CEO Richard Wang has been relieved of his duties;
  • The two certificate authorities' teams, operations and infrastructure will be separated, Qihoo 360 personnel will review the code base in an internal audit, and StartCom will submit its systems for an external audit; and
  • StartCom will prepare and publish a separate “near term change plan.
Qihoo 360 is taking the issue of backdated SHA-1 certs, in January 2016, as the most serious violation, and the reason for the executive re-organisation.

The incident report states: “Wosign is in process of making legal and personnel changes in both WoSign and StartCom to ensure that both WoSign and StartCom have leadership that understand and follow the standards of running a CA”.

The incident report lists more than 60 backdated certificates, including the one issued to Australian-headquartered payments processor Tyro (The Register has previously contacted Tyro for comment, but received no response).

The Qihoo 360 incident report says SHA-1 certificates with a validity beyond January 2017 were issued because of delays to the systems upgrade it was undertaking to implement SHA-1 deprecation.

Customers holding an SHA-1 certificate will be offered free revocation and an upgrade to SHA-2.

The company puts other certificate issuance errors down to a variety of system bugs and, in the case of certificates for Alibaba's alicdn.com that opened a middleman vulnerability, a lack of human validation for important customers.

Mozilla will now decide whether Qihoo 360's intervention brings it back into compliance with its certificate rules. After that, the company will also have to convince Apple to rescind its decision not to trust its certificates. ®
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
And yet more drama from this arena.
The same company that allowed malicious Ad's and content through its filters
(for the right price) under a year ago, will now be in control of issuing certificates ?
Day's of our Live's does not play out this good. Wow
Cool Share Solarguest.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top