14 DAY TRIAL // Despite efforts from Qihoo 360 to avoid the worst case scenario, this is just what happened today, when Mozilla announced it was banning new SSL certificates issued by the WoSign and StartCom certificate authorities (CAs), in which Qihoo has a direct financial involvement.
The decision came today, exactly one month after Mozilla engineers published a report on WoSign's slip-ups in regards to SSL issuance procedures.
Mozilla: WoSign had deceived browser vendors
Mozilla said that WoSign had issued SSL certificates signed using the outdated SHA-1 algorithm in mid-2016, and had backdated the certificates before January 1, 2016, a date on which all browser vendors had agreed on a deadline for SHA-1-signed certificates, considered insecure.
Additionally, WoSign had secretly bought StartCom, an Israeli certificate authority, and had failed to inform browser vendors, including Mozilla, and continued to deny the acquisition even when confronted by Mozilla engineers.
StartCom, under the direct guidance of WoSign's CEO, had also backdated SSL certificates after the January 1 deadline.
Qihoo tried to save WoSigna & StartCom from Mozilla's ban hammer
Qihoo 360, who owns the majority stake in WoSign, tried to intervene and moderate the situation. After a meeting that took place in London more than two weeks ago, Qihoo said that WoSign would fire its CEO, and proposed new leadership for both WoSign and StartCom.
Despite its best efforts, Qihoo's Hail Mary pass failed to impress Mozilla, who said today they plan to ban all SSL certificates issued by the two CAs that feature an issuance date after October 21, 2016.
Certificates issued before this date will continue to be trusted in Mozilla products and will not show an error when users access these sites. The de-facto ban will come into effect with Firefox 51, set for release early next year.
Mozilla also said it reserves the right to ban all WoSign and StartCom certificates, even the older ones if it discovers that the two companies are still engaging in the practice of backdating SSL certificates.
Apple had already banned new WoSign certificates
"The levels of deception demonstrated by representatives of the combined company [WoSign + StartCom] have led to Mozilla’s decision to distrust future certificates chaining up to the currently-included WoSign and StartCom root certificates," the company wrote today on its blog.
As a side effect of the report, Mozilla said it would not accept security audits performed by Ernst & Young Hong Kong, the security consultancy firm that audited WoSign's business practices.
A week after Mozilla published its initial report on WoSign's activities, Apple also banned newly-issued WoSign SSL certificates in its products, a ban that came into effect in mid-October.
Microsoft and Google have not yet issued a public statement on the WoSign and StartCom incidents.