Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Tuesday October 11 2016, @05:01AM   Printer-friendly
from the certified-or-certifiable? dept.

Arthur T Knackerbracket has found the following story:

After being pinged by Mozilla for issuing backdated SHA-1 certificates, Chinese certificate authority WoSign's owner has put the cleaners through the management of WoSign and StartCom.

Mozilla put WoSign and StartCom on notice at the end of September.

As part of its response, the company has posted around 200,000 certificates with the Google transparency log server as well as on its own CT log server, covering everything issued in 2015 and 2016, with a promise to expand that to "all certificates past and present".

In this discussion thread, Bugzilla lead developer Gervase Markham explains that people from WoSign's majority shareholder Qihoo 360 and StartCom met with Mozilla representatives last Tuesday in London.

WoSign's full response is here (PDF). In it, as summarised in the mailing list discussion by StartCom founder Eddy Nigg, the company promises to:

Qihoo 360 is taking the issue of backdated SHA-1 certs, in January 2016, as the most serious violation, and the reason for the executive re-organisation.

The incident report states: "Wosign is in process of making legal and personnel changes in both WoSign and StartCom to ensure that both WoSign and StartCom have leadership that understand and follow the standards of running a CA".

The incident report lists more than 60 backdated certificates, including the one issued to Australian-headquartered payments processor Tyro (The Register has previously contacted Tyro for comment, but received no response).


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by datapharmer on Tuesday October 11 2016, @10:11AM

    by datapharmer (2702) on Tuesday October 11 2016, @10:11AM (#412876)

    Good riddance. I've used this registrar before for free certificates. They issued but would not renew a certificate with the word salesforce in the sub domain because it "could be used for spoofing".

    They told me I had to get permission from salesforce.com owners to use "salesforce" as a subdomain. I had salesforce support email them, but hey said it had to be the actual owner listed by Whois, so I gave up and ordered a wildcard certificate instead.

    You're telling me that after all that they were backdating certificates? What the heck?

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by zocalo on Tuesday October 11 2016, @11:07AM

    by zocalo (302) on Tuesday October 11 2016, @11:07AM (#412892)
    Wow, that's really clueless. When was this though? Startcom used to be OK-ish, if slightly shady (lots of certs issued outside of their ToS), while they were still operated out of Israel, but one of Mozilla's issues with WoSign implies they may have moved the StartCom certificate issuing systems over to China. The timescale on this is sketchy as to what happened when, but must be some time after WoSign secretly acquired StartCom in November 2015 and when the infrastructure transfer was definitely completed on 1st September 2016 - no telling when staff in China started issuing the certs in that window though.
    --
    UNIX? They're not even circumcised! Savages!