Mozilla Ready to Ban WoSign Certificates for One Year After Shady Behavior

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Mozilla is pondering applying a one-year-long ban on all newly issued SSL certificates from Chinese CA (Certificate Authority) WoSign, and Israeli CA StartCom, which WoSign appears to have secretly bought last year.

Mozilla's engineers announced the potential ban following an investigation into a series of suspicious SSL SHA-1 certificates issued by both companies. The full investigation report can be read below this article.

Both CAs have tried to avoid the SHA-1 ban
The issues revolve around a common decision that browser makers took last year, to stop accepting SSL certificates signed via the ancient SHA-1 algorithm starting with January 1, 2016.

Mozilla is accusing WoSign that they've been issuing SHA-1-signed certificates and back-dating them to December 2015.

While Mozilla has allowed other CAs to issue SHA-1 certificates after January 1, 2016, for example Symantec, they only allowed it if the CA went through a complex approval process, which apparently WoSign has dodged.

WoSign has hidden the StartCom acquisition
Furthermore, WoSign seems to negate that it bought Israeli CA StartCom. Mozilla says, backed up by a Hebrew-speaking lawyer, that WoSign has 100 percent ownership over the Israeli CA since November 1, 2015.

To back up is claims, Mozilla revealed technical details that sustain its statements, showing that StartCom has started issuing certificates using WoSign's infrastructure.

Mozilla also accused StartCom of engaging in back-dating 2016 SHA-1 certificates to December 2015, just like WoSign. The Foundation's security engineers detail one case where this has happened.

StartCom has also back-dated SHA-1-signed certificates
The Mozilla investigation uncovered how Tyro, a payments processor that has worked with the GeoTrust CA for years, has all of a sudden deployed an SHA-1-signed certificate in the middle of June using StartCom, a CA it never worked with.

The certificate was dated as issued on December 20, 2015, a date on which Mozilla engineers found that StartCom has issued a large number of SHA-1-signed certificates. Mozilla discovered that companies deployed these certificates in the middle of 2016, and not right away, a clear sign that they were back-dated to avoid the SHA-1 ban.

These incidents and many more are now making Mozilla engineers ponder the idea of untrusting WoSign and StartCom SSL certificates in Mozilla for a year.

A permanent ban may be appplied
Mozilla says this temporary ban will be applied only to newly issued certificates from both companies, and not to certificates already deployed at their customers.

If the two companies don't pass a series of tests after the one-year ban, Mozilla is ready to ban all certificates from both companies for good.

"[M]any eyes are on the Web PKI and if such additional back-dating is discovered (by any means), Mozilla will immediately and permanently revoke trust in all WoSign and StartCom roots," the report says.

Furthermore, a ban in Chrome and other products is also on the table. "While other browser vendors and root store operators will need to make their own decisions, we have laid out the information in this document so that they will understand the basis on which we have made our decision and can make their own decisions accordingly," Mozilla said.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top