[ale] Oct News: StartCom, WoSign distrusted by Mozilla, Google, Apple
Jeremy T. Bouse
jeremy.bouse at undergrid.net
Mon Jan 30 15:28:50 EST 2017
On 1/30/2017 3:08 PM, Brian W. Neu wrote:
> Randomly logged into my StartCom account today to see all kinds of red
> text about free verifications and expirations and workarounds.
>
> Through a little reading, it's clear that the Mozilla Foundation and
> Google have both announced that they are distrusting the StartCom and
> WoSign CA's due to deceptive practices unbecoming of a certificate
> authority. The short story is that WoSign, a Chinese company claiming
> 70% of the certificate market in China, was allowing for the
> backdating of new SHA1 signings to avoid some kind of sunset imposed
> by Microsoft and others. WoSign also acquired StartCom in 2015, and
> purposely hid this from the public, even denied it to the Mozilla
> Foundation until irrefutable evidence surfaced.
>
> Looks like StartCom is trying to mitigate damage by spinning off as a
> separate entity, but what a disaster! Any alternative CA's led by
> non-shady businessmen? Comodo?
>
> https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
>
>
> https://en.wikipedia.org/wiki/StartCom
>
> https://www.thesslstore.com/blog/wosign-startcom-separated/
>
> https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
>
Yeah, many for years have complained about StartCom's business
practice of charging for revocation of certificates and demanded that it
be distrusted because of that. I've been using them for years for my
PAID certificates not utilizing their FREE 1-year expiring certificates.
Even as a paid user I pay a few to revoke a certificate but not nearly
as much as someone wanting to revoke a free certificate. I can't
begrudge them for charging for this given their business model is so
unlike any other CA on the market in that they charge to verify your
identity not the certificates themselves. Once you and/or your
organization are verified you can issue as many certificates under your
identity as you wish.
StartCom has stated they are creating new CA certificates and
proceeding through the steps to get re-certified and trusted again with
the new CA. Certificates issued before the specific end date are still
trusted by Mozilla and Google but those certified after will present a
warning to end users. StartCom has also said they'll re-issue
certificates affected once the new CA is trusted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4521 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.ale.org/pipermail/ale/attachments/20170130/3309363c/attachment.p7s>
More information about the Ale
mailing list