[ale] Oct News: StartCom, WoSign distrusted by Mozilla, Google, Apple
Brian W. Neu
ale at advancedopen.com
Mon Jan 30 15:08:59 EST 2017
Randomly logged into my StartCom account today to see all kinds of red
text about free verifications and expirations and workarounds.
Through a little reading, it's clear that the Mozilla Foundation and
Google have both announced that they are distrusting the StartCom and
WoSign CA's due to deceptive practices unbecoming of a certificate
authority. The short story is that WoSign, a Chinese company claiming
70% of the certificate market in China, was allowing for the backdating
of new SHA1 signings to avoid some kind of sunset imposed by Microsoft
and others. WoSign also acquired StartCom in 2015, and purposely hid
this from the public, even denied it to the Mozilla Foundation until
irrefutable evidence surfaced.
Looks like StartCom is trying to mitigate damage by spinning off as a
separate entity, but what a disaster! Any alternative CA's led by
non-shady businessmen? Comodo?
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
https://en.wikipedia.org/wiki/StartCom
https://www.thesslstore.com/blog/wosign-startcom-separated/
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
More information about the Ale
mailing list