How to choose a certificate authority for safer web security Watch Now

Microsoft has had enough of the Chinese Certificate Authorities (CAs) WoSign and its subsidiary StartCom's poor security. Soon, neither Internet Explorer nor Edge will recognize new security certificates from either company.

A CA is a trusted entity that issues X.509 digital certificates that verify a digital entity's identity on the internet. Certificates include its owner's public key and name, the certificate's expiration date, encryption method, and other information about the public key owner. Typically, these are used to secure websites with the https protocol, lock down internet communications with Secure Sockets Layer and Transport Layer Security (SSL/TLS), and secure virtual private networks (VPNs). A corrupted certificate is barely better than no protection at all. It can be used to easily hack websites and "private" internet communications.

WoSign and StartCom lost their reputation for reliability over a year ago. According to SSL Labs, by October 2016, "browser vendors have lost trust in WoSign's 'technical and management capabilities.' In addition, WoSign has been accused of dishonesty and continued and persistent deception." Unfortunately, both CAs had large installed user bases, largely because both had offered free certificates.

Mozilla was the first web browser company to announce that it would "no longer trust newly-issued certificates issued by either of these two CA brands." Google followed Mozilla in no longer trusting the CA vendors' certificates in July 2017. Chrome security engineer Devon O'Brien said Google was doing this because of "several incidents" involving the certificate authority which have "not [been] in keeping with the high standards expected of CAs." Apple has also dropped support for WoSign certificates.

Now, Microsoft has joined them in abandoning trust in their certificates. A Microsoft representative wrote: "Microsoft has concluded that the Chinese CAs WoSign and StartCom have failed to maintain the standards required by our Trusted Root Program. Observed unacceptable security practices include back-dating SHA-1 certificates, mis-issuances of certificates, accidental certificate revocation, duplicate certificate serial numbers, and multiple CAB Forum Baseline Requirements (BR) [issuance and management rules for public certificates] violations."

Microsoft will start "the natural deprecation of WoSign and StartCom certificates by setting a 'NotBefore' date of 26 September 2017. This means all existing certificates will continue to function until they self-expire. Windows 10 will not trust any new certificates from these CAs after September 2017."

WoSign claimed that it would clean up its act in a memo in October 2016. That hasn't happened.

The company's website ignores the issue, "Why NOT WoSign? you need a trusted CA to issue browser trusted SSL certificate for you, WoSign is your best choice. And WoSign China is one of the largest digital certificate provider in China, has more than 70 percent market share in China."

PREVIOUS AND RELATED COVERAGE

Google guillotine falls on certificate authorities WoSign, StartCom

According to a Google Groups post published by Chrome security engineer Devon O'Brien, due to "several incidents" involving the certificate authority which have "not [been] in keeping with the high standards expected of CAs," Google Chrome has already begun phasing out WoSign and StartCom by only trusting certificates issued prior to October 21, 2016.

Mozilla slaps ban on WoSign: Firefox drops trust over 'deception'

Starting in January 2017, any website using a new certificate from Qihoo 360-owned certificate authority WoSign will have troubles reaching Firefox users. Firefox-maker Mozilla announced it will ban newly-issued digital certificates from WoSign and StartCom, an Israel-based certificate authority that the Chinese firm recently acquired.