Mozilla to punish certificate authority WoSign/StartCom

Mozilla wants to block new ssl certificates from WoSign and StartCom. The certificate authorities have recently made numerous mistakes as a result of which Mozilla no longer has confidence in the functioning of WoSign and StartCom.

Mozilla wants to punish WoSign and StartCom by no longer adding new certificates from the parties to the list of trusted SSL certificates for Firefox. With this measure, Mozilla wants to reduce the initial impact of the measure, which should last at least a year. To back up its proposal, Mozilla has posted a large analysis on Google Docs.

In the past, for example, it was possible to request certificates via a WoSign system without the applicant being the owner of the domain in question. Such a certificate could then possibly be used for a man-in-the-middle attack.

WoSign also issues certificates that are secured with the sha-1 hash that has been labeled insecure for years. All major browsers will block sites with sha-1 certificates from January 2017. Mozilla considered certificates with sha-1 issued after January 1, 2016 also invalid, but WoSign and StartCom backdated sha-1 certificates issued after that date.

The entire list of twelve incidents is on Mozilla’s Wiki page ‘WoSign Issues’. Another salient detail is that the Chinese WoSign took over the Israeli StartCom this year without reporting this. The acquisition was completed on September 19.

Mozilla seeks help from others with its reporting, including to help decide when the exclusion will take effect. Also, Mozilla is seeking help deciding whether WoSign or StartCom should manufacture new roots if they meet a number of conditions before they can reapply to become a trusted certificate authority, The Register writes.