Mozilla Completely Distrusts WoSign CA, WoSign “Accepts” Sanctions and Puts SSL Certificates On Sale
Mozilla announced its final decision over the WoSign Certificate Authority (CA) reviews on October 20, 2016. According to the announcement, Mozilla will no longer trust any CA certificates issued by WoSign from October 21 onwards. The change of trust to distrust will also go into the Firefox 51 release train.
“Mozilla has discovered that a Certificate Authority (CA) called WoSign has had a number of technical and management failures. Most seriously, we discovered they were backdatingSSL certificates in order to get around the deadline that CAs stop issuing SHA-1 SSL certificates by January 1, 2016. Additionally, Mozilla discovered that WoSign had acquired full ownership of another CA called StartCom and failed to disclose this, as required by Mozilla policy. The representatives of WoSign and StartCom denied and continued to deny both of these allegations until sufficient data was collected to demonstrate that both allegations were correct.” The company summed up its security concerns over WoSign in its latest blog post.
“The levels of deception demonstrated by representatives of the combined company have led to Mozilla’s decision to distrust future certificates chaining up to the currently-included WoSign and StartCom root certificates.” the post continues.
Upon Mozilla’s announcement, WoSign released a public statement that “Although Mozilla’s sanctions are too severe, but WoSign accept it. WoSign decide to make improvement, continuously increase liability, security and compliance of our systems and follow strictly all the international standards and security management policies of every browser vendor.”
The Chinese company said its WoSign Digital Certificate Store will be updated an from October 22, there will be a 90% OFF discount on all charged SSL certificates issued from the 4 affected roots.
Mozilla first spelled out in its investigation how it spotted an anomalous number of SHA-1 certs issued by WoSign on Dec. 20, 2015, a Sunday. This runs counter to the vast majority of other SHA-1 certs issued by the company on working days during normal work hours.