Mozilla may also ban StartCom certificates

Sep 26, 2016 23:50 GMT  ·  By

Mozilla is pondering applying a one-year-long ban on all newly issued SSL certificates from Chinese CA (Certificate Authority) WoSign and Israeli CA StartCom, which WoSign appears to have secretly bought last year.

Mozilla's engineers announced the potential ban following an investigation into a series of suspicious SSL SHA-1 certificates issued by both companies. The full investigation report can be read below this article.

Both CAs have tried to avoid the SHA-1 ban

The issues revolve around a common decision that browser makers made last year to stop accepting SSL certificates signed via the ancient SHA-1 algorithm starting January 1, 2016.

Mozilla is accusing WoSign that they've been issuing SHA-1-signed certificates and back-dating them to December 2015.

While Mozilla has allowed other CAs to issue SHA-1 certificates after January 1, 2016, for example Symantec, they only permitted it if the CA went through a complex approval process, which apparently WoSign has dodged.

WoSign has hidden the StartCom acquisition

Furthermore, WoSign seems to negate that it bought Israeli CA StartCom. Mozilla, on the other hand, says - backed up by a Hebrew-speaking lawyer - that WoSign has 100 percent ownership over the Israeli CA since November 1, 2015.

Moreover, Mozilla revealed technical details that sustain its statements, showing that StartCom has started issuing certificates using WoSign's infrastructure.

The Foundation also accused StartCom of engaging in back-dating 2016 SHA-1 certificates to December 2015, just like WoSign. Its security engineers even detail one case where this has happened.

StartCom has also back-dated SHA-1-signed certificates

The Mozilla investigation uncovered how Tyro, a payments processor that has worked with the GeoTrust CA for years, has all of a sudden deployed an SHA-1-signed certificate in the middle of June using StartCom, a CA it never worked with.

The certificate appeared to have been issued on December 20, 2015, a date on which Mozilla engineers found that StartCom issued a large number of SHA-1-signed certificates. Mozilla discovered that companies deployed these certificates in the middle of 2016, and not right away, a clear sign that they were back-dated to avoid the SHA-1 ban.

These incidents and many more have made Mozilla engineers to consider the possibility of untrusting WoSign and StartCom SSL certificates in Mozilla for a year.

A permanent ban may be applied

Mozilla says this temporary ban will be applied only to newly issued certificates from both companies, and not to certificates already deployed to their customers.

If the two companies don't pass a series of tests after the one-year ban, the Foundation is ready to ban all certificates from both companies for good.

"[M]any eyes are on the Web PKI and if such additional back-dating is discovered (by any means), Mozilla will immediately and permanently revoke trust in all WoSign and StartCom roots," the report says.

Furthermore, a ban in Chrome and other products is also on the table. "While other browser vendors and root store operators will need to make their own decisions, we have laid out the information in this document so that they will understand the basis on which we have made our decision and can make their own decisions accordingly," Mozilla said.