14 DAY TRIAL // Apple announced on Friday, September 30, plans to untrust digital certificates issued by Chinese Certificate Authority (CA) WoSign, following a report published by Mozilla last Monday.
The report contained a list of incidents that involved WoSign and StartCom, an Israeli CA that WoSign bought last year.
Mozilla engineers discovered that WoSign had back-dated SHA-1-signed certificates to December 2015 in an attempt to avoid a ban on SHA-1 certificates that became active starting January 1, 2016.
Mozilla also found out that WoSign included arbitrary domain names in certificates without proper verification, and also hid the acquisition of StartCom, a company which began using its infrastructure, and also back-dated certificates as well.
Mozilla still pondering a one-year ban for WoSign & StartCom
Following the report, Mozilla announced it was planning to issue a one-year ban on WoSign and StartCom certificates, as punishment. The ban, if approved, would apply only to new WoSign and StartCom certificates, while the ones already in use would continue to work.
The ban proposal, even if for a year, would be the equivalent of a death sentence for a CA, if adopted by other browser makers.
Apple, who is also part of the CA/Browser Forum, was much more decisive than Mozilla. Instead of issuing veil threats to ban WoSign and StartCom certificates, the company just did it.
Apple already banned intermediary WoSign certificates
According to security alerts posted on its website, Apple said it untrusted all WoSign-related certificates issued after September 19. The ban affects only WoSign certificates in both iOS and OS X.
Although Apple didn't trust WoSign root certificates, WoSign uses intermediary certificates issued by StartCom and Comodo to establish trust on Apple products. It's these "intermediary" certificates that Apple is banning.
Additionally, the Apple alert doesn't mention untrusting StartCom certificates, which will be supported, for the time being. The ban will become active in Apple's next security update, scheduled for the second week of October. Apple didn't mention if the ban is permanent, or if it will be removed.
Apple also doesn't exclude expanding the ban to other Apple products as the Mozilla investigation progresses.
Mozilla is scheduled to meet with WoSign and StartCom representatives this week, in order to clarify recent events. Mozilla is expected to take a final decision on the one-year proposed ban after the meeting.
In the meantime, WoSign, who's China's biggest CA, has publicly admitted to buying StartCom and is actively looking to mediate the issue and avoid Mozilla's ban, and for a good reason, since other browser makers like Google or Microsoft could follow suite and put the company's existence in danger.