Chrome & Firefox To Distrust WoSign/StartCom Certs

Google Chrome Distrust Wosign / StartCom Certs 2017

If you currently own any SSL certificates issued by the CA Authority WoSign or StartCom SSL, it might be time for you to start to look into alternatives options to replace your SSL certificate. Beginning 1st Jan 2017, both Google Chrome and Mozilla Firefox will be releasing an update on the browser version (Chrome v56 and Firefox v51) that will distrust certificates from both WoSign and StartCom. Apple has also recently published an official announcement to remove the support of both WoSign & StartCom root CA from both iOS and macOS.

What would have cause this? All the certificate authority including Symantec, Comodo, GeoTrust..etc have a set of rules that they need to follow that was determined by the CA/B Forum. This is to make sure there’s a standard set for all the SSL certificate issues by any of the CA providers – but WoSign and StartCom has been found to be ‘by passing’ this rule.

Update : 11th July 2017Starting Sept 2017, visitors still using WoSign/Startcom SSL certificate will see a warning sign of SSL certificate on their browser.

Issuance of Certificates Without Full Authorization

On Google’s latest announcement, the investigation with Mozilla’s security team started after they have been alerted by GitHub security team that WoSign has issued SSL certificate for one of their’s domains without Github authorisation. An IT administrator for the University of Central Florida used the service to obtain a certificate for med.ucf.edu. He soon discovered that he mistakenly got one for www.ucf.edu. To verify that the error wasn’t isolated, the admin then used his control over the github subdomains schrauger.github.com and schrauger.github.io to get certificates for github.com, github.io, and www.github.io. When the admin finally succeeded in alerting WoSign to the improperly issued Github certificates, WoSign still didn’t catch the improperly issued www.ucf.edu certificate and allowed it to remain valid for more than a year. For reasons that aren’t clear, Mozilla’s final report makes no explicit mention the certificates involving the Github or UCF domains, which were documented here in August.

Back-Dating of SHA-1 Implementation Date

The browser-trusted WoSign authority intentionally back-dated certificates it has issued over the past nine months to avoid an industry-mandated ban on the use of the SHA-1 hashing algorithm, Mozilla officials charged in a report published Monday. SHA-1-based signatures were barred at the beginning of the year because of industry consensus they are unacceptably susceptible to cryptographic collision attacks that can create counterfeit credentials. To satisfy customers who experienced difficulty retiring the old hashing function, WoSign continued to use it anyway and concealed the use by dating certificates prior to the first of this year, Mozilla officials said. They also accused WoSign of improperly concealing its acquisition of Israeli certificate authority StartCom, which was used to issue at least one of the improperly issued certificates.

A full summary of investigation issues published by Mozilla team as below.

  • Back-dating SHA-1 certs was a relatively common practice at WoSign, and they have consistently denied doing so. (Issue S, and the evidence given above)
  • WoSign built a system where applicants could add extra arbitrary domains to their certificates before issuance. Even when mis-issuances happened they did not determine the root cause and eliminated the flaw only in an unrelated system upgrade. (Issue N)
  • WoSign has an “issue first, validate later” process where it is acceptable to detect mis-issued certificates during validation the next working day and revoke them at that point. (Issue N)
  • WoSign’s team do not seem to think a misissuance is worth investigating further than simply revoking the certificate. (Issue N)
  • WoSign’s approach to their CPS is backwards—instead of following it and changing it first when necessary, they change their practice and then update the documentation when reminded. (Issue J)
  • If the experience with their website ownership validation mechanism is anything to go by, It seems doubtful that WoSign keep appropriately detailed and unalterable logs of their issuances. (Issue L)
  • The level of understanding of the certificate system by their engineers, and the level of quality control and testing exercised over changes to their systems, leaves a great deal to be desired. It does not seem they have the appropriate cultural practices to develop secure and robust software. (Issue V, Issue L)
  • It does not appear that WoSign learns from the experience of other CAs, e.g. Symantec’s test certificate issue, or the SHA-1 exceptions process. (Issue P, Issue S)
  • For reasons which still remain unclear, WoSign appeared determined to hide the fact that they had purchased StartCom, actively misleading Mozilla and the public about the situation. (Issue R)
  • WoSign’s auditors, Ernst & Young (Hong Kong), have failed to detect multiple issues they should have detected. (Issue J, Issue X)

What are the Impacts?

Any certificates issued by WoSign and StartCom after October 21, 2016 00:00:00 UTC will not be trusted by both Google Chrome and Mozilla Firefox with the release of Chrome v56 and Mozilla Firefox v51. Certificates issued before this date may continue to be trusted, for a limited time but subsequently in future release of Google Chrome, both WoSign and StartCom CAs will be fully removed, cultivating a full distrust on the certificates issued by WoSign and StartCom.

Based on the latest browser market share statistics, when Chrome and Firefox begin the roll out on Jan 2017 for the updates, websites which are currently using either WoSign or StartCom SSL certificate will begin throwing the error. To see how badly it will bring the impact to your websites, look up on your website Analytics like Google Analytics to check out the browsers breakdown that your visitors has been using to reach out to your website.

Startcom-Wosign-SSL-market-share

Base on BuiltWith statistics, it’s shows a steep drop of StartSSL market share ever since Google announce the news of distrusting the SSL certificate.

What’s the Alternative SSL certificate for Wosign/Startcom ?

As soon as Sept 2017 kicks in, even though your existing Wosign/Startcom SSL certificate still valid, your visitors will be throw a SSL warning page.

Wosign-StartSSL-Replacement-Alternative-SSL

Get a replacement of your WoSign/StartSSL SSL certificate from us starting from just $29. On top of the SSL certificate, you will also receive a complimentary of website uptime monitoring service to check your website uptime with instant notifications for FREE.