Apple decided to weigh in after Mozilla’s ongoing efforts to warn of the security issue of China’s WoSign CA. Over the past weekend, Apple said that it would soon distrust certificates issued by the Chinese Certificate Authority’s Free SSL Certificate G2 intermediate CA on macOS.
In the past several weeks, Mozilla has been publishing posts and pages, accusing the CA of backdating SHA-1 certificates to effectively bypass restrictions banning certs from being trusted. Mozilla’s CA team said last week that in wake of the discovery, and several other wrongdoings, it was considering blocking the the WoSign and its subsidiary StartCom for one year. It seems that following Mozilla’s accusations, Apple is now the second big Internet company to step in the WoSign fiasco.
“Certificate Authority WoSign experienced multiple control failures in their certificate issuance processes for the WoSign CA Free SSL Certificate G2 intermediate CA. Although no WoSign root is in the list of Apple trusted roots, this intermediate CA used cross-signed certificate relationships with StartCom and Comodo to establish trust on Apple products.” wrote Apple in a public statement, “As the investigation progresses, we will take further action on WoSign/StartCom trust anchors in Apple products as needed to protect users.”
In light of Apple’s decision to outright block a specific intermediate WoSign certificate, experts speculated that Firefox, which wasn’t exactly concrete in its stance last week, could come down harder on the CA after a scheduled face to face meeting with the company this week.