Mozilla doesn’t trust new WoSign and StartCom certificates
Mozilla has announced that it does not trust new certificates from WoSign and StartCom. The certificate authorities have made several mistakes, including backdating certificates to avoid the phase-out of sha-1 certificates.
On its blog, Mozilla announces the measures it has taken against the certificate authorities. For example, the organization is withdrawing trust for certificates from WoSign and StartCom with a validity after October 21. If Mozilla again encounters backdated root certificates, it announces that it will block them “immediately and permanently.” This change is part of the release of Firefox 51.
In addition, it adds certificates with a modified date to OneCRL. This system, introduced in 2015, ensures that certificates can be revoked faster by pushing lists of such certificates to the browser. Mozilla further announces that it will no longer accept audits conducted by Ernst & Young Hong Kong, whose authorities were clients. The list of identified problems shows that the abuses at the certificate authorities ‘should have been identified by a competent party’.
Mozilla adds that until the certificate authorities come up with new root certificates, the certificates will have to be imported manually. The organization has already announced the measures taken now. Besides the fact that the date was changed on certain certificates, it was possible, for example, to request a certificate for a different domain. In addition, WoSign took over the StartCom authority without reporting it.
Following the disclosure of the abuses by Mozilla, the certificate authorities announced measures, including a reorganization.