Microsoft Removes Trust from Chinese CAs

Exterminator

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Microsoft has decided to remove trust from two Chinese certificate authorities (CAs) after uncovering a litany of poor security practice.

Redmond revealed in a blog post that it would begin deprecating certificates issued by WoSign and StartCom by setting a “not before” date of September 26 2017.

This means all existing certs will continue to function until they self-expire, and Windows 10 won’t trust any new certificates from the two after September.

A brief statement revealed the reasoning behind the decision:

“Microsoft has concluded that the Chinese Certificate Authorities (CAs) WoSign and StartCom have failed to maintain the standards required by our Trusted Root Program. Observed unacceptable security practices include back-dating SHA-1 certificates, mis-issuances of certificates, accidental certificate revocation, duplicate certificate serial numbers, and multiple CAB Forum Baseline Requirements (BR) violations.”
Microsoft’s decision follows the same move by Apple, Google and Mozilla, who binned the certs in 2016.

The news was welcomed by industry experts, including Kevin Bocek, chief cybersecuirity strategist at Venafi.

He claimed that StartCom is merely a “secretly acquired subsidiary” of WoSign and both have “made a mockery of the global system of trust” underpinned by digital certificates.

“It would appear impossible for both CAs to pass an auditor's examination to operate as a trusted CA,” Bocek added. “This is a reminder for businesses why having automated systems to blacklist and eliminate untrusted CAs from their applications, networks, and clouds is so important. No business should be stuck waiting for Microsoft, Google, and Apple to take action."

The news follows Symantec’s decision to sell its certificates business for $950m, to Utah-based DigiCert.

Although the official reason for the sale is to help the security giant sharpen its enterprise focus, in truth the business had been struggling after a series of incidents which led to the sacking of several employees and a long-running bust-up with Google.
Click to expand...
 
  • Like
Reactions: SHvFl, Fritz, ravi prakash saini and 1 other person
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
Security News Bitdefender and Trend Micro security software patched after critical vulnerabilities exposed
Replies
0
Views
1,177
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
    • +Reputation
EU Digital Identity framework (eIDAS) another kind of chat control?
Replies
0
Views
827
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
silversurfer
    • Like
    • +Reputation
    • Thanks
Hackers Exploit Windows Policy Loophole to Forge Kernel-Mode Driver Signatures
Replies
0
Views
1,316
News Archive
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top