14 DAY TRIAL // The WoSign and StartCom rogue certificate drama is coming to a close after Mozilla, StartCom, and Qihoo 360 (WoSign's majority stakeholder) representatives met last Friday in London to find a way to make amends.
The three parties met after Mozilla discovered in September that WoSign had back-dated SHA-1-signed TLS certificates to December 2015 in order to avoid a ban on SHA-1 certificates from browser makers that came into effect on January 1, 2016.
By doing so, WoSign was still allowing companies to use insecure TLS certificates and prolong the usage of unsafe HTTPS, instead of forcing its clients to update to modern encryption practices.
Besides WoSign, Mozilla also found that StartCom engaged in the same behavior of back-dating certificates. Later Mozilla discovered that WoSign had secretly acquired StartCom without a public announcement or notification to browser makers, and the two companies started sharing the same infrastructure.
Qihoo bites the bullet in order to keep WoSign alive
Following these grave issues, Mozilla announced it was thinking about banning newly-issued WoSign and StartCom certificates for a year, as a punishment. Apple didn't give out any warning and outright banned newly-issued WoSign certificates from its products, a measure which will become effective this week.
Seeing that browser makers are starting to get mad, and worrying that this scandal would wake up the sleeping giants (Microsoft and Google), Qihoo 360, the company that owns WoSign and indirectly StartCom, stepped in to avoid any drastic and more serious measures.
A temporary ban from Google or Microsoft, even if for just one year, would kill WoSign's business, with clients moving to other certificate authorities.
Following last Friday's meeting, Qihoo 360 took a series of drastic measures to show it takes the incident seriously, and to avoid the fate of Diginotar, a CA that had to shut down following a ban from Google.
WoSign and StartCom get new leadership
For starters, both WoSign and StartCom will be headed by new management. According to Eddy Nigg, StartCom founder Xiaosheng Tan will serve as Chairman of StartCom, while Inigo Barreira as CEO and Director of StartCom.
In a similar announcement, the WoSign board has also relieved Richard Wang of his duties as CEO of WoSign. A new CEO will be appointed in the future.
A WoSign report reveals that Wang was the one that broke protocol and approved the back-dating of the rogue certificates, for both WoSign and StartCom.
WoSign and StartCom will operate as separate companies
Because of this, Qihoo decided to separate WoSign and StartCom, which will now operate as separate businesses.
“ Additionally, we note that StartCom has been operating as a compliant, separate CA for many years and the only noted issue with StartCom (two backdated certificates issued in July 2016) was an action approved by WoSign CEO Richard Wang. Before this, the leadership, business operations, and technology have been operating in compliance for many years and for many customers. Hence, we would like to have the impact to WoSign and StartCom be considered separately. ”
Furthermore, both company will use CT compliant log servers to record how they manage past, present, and future certificates.Browser makers will have access to these servers and will help improve trust in the two companies once again, following their recent slip-ups.
Most software vendors and service providers that use WoSign and StartCom certificates are still waiting for Google and Microsoft to issue a statement on this incident. Following the recent incident reports, the two might be more lenient on the two CAs.