[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ale] Oct News: StartCom, WoSign distrusted by Mozilla, Google, Apple
- Subject: [ale] Oct News: StartCom, WoSign distrusted by Mozilla, Google, Apple
- From: ale at advancedopen.com (Brian W. Neu)
- Date: Mon, 30 Jan 2017 15:08:59 -0500
Randomly logged into my StartCom account today to see all kinds of red
text about free verifications and expirations and workarounds.
Through a little reading, it's clear that the Mozilla Foundation and
Google have both announced that they are distrusting the StartCom and
WoSign CA's due to deceptive practices unbecoming of a certificate
authority. The short story is that WoSign, a Chinese company claiming
70% of the certificate market in China, was allowing for the backdating
of new SHA1 signings to avoid some kind of sunset imposed by Microsoft
and others. WoSign also acquired StartCom in 2015, and purposely hid
this from the public, even denied it to the Mozilla Foundation until
irrefutable evidence surfaced.
Looks like StartCom is trying to mitigate damage by spinning off as a
separate entity, but what a disaster! Any alternative CA's led by
non-shady businessmen? Comodo?
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
https://en.wikipedia.org/wiki/StartCom
https://www.thesslstore.com/blog/wosign-startcom-separated/
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html