from the certified-or-certifiable? dept.
Arthur T Knackerbracket has found the following story:
After being pinged by Mozilla for issuing backdated SHA-1 certificates, Chinese certificate authority WoSign's owner has put the cleaners through the management of WoSign and StartCom.
Mozilla put WoSign and StartCom on notice at the end of September.
As part of its response, the company has posted around 200,000 certificates with the Google transparency log server as well as on its own CT log server, covering everything issued in 2015 and 2016, with a promise to expand that to "all certificates past and present".
In this discussion thread, Bugzilla lead developer Gervase Markham explains that people from WoSign's majority shareholder Qihoo 360 and StartCom met with Mozilla representatives last Tuesday in London.
WoSign's full response is here (PDF). In it, as summarised in the mailing list discussion by StartCom founder Eddy Nigg, the company promises to:
Qihoo 360 is taking the issue of backdated SHA-1 certs, in January 2016, as the most serious violation, and the reason for the executive re-organisation.
The incident report states: "Wosign is in process of making legal and personnel changes in both WoSign and StartCom to ensure that both WoSign and StartCom have leadership that understand and follow the standards of running a CA".
The incident report lists more than 60 backdated certificates, including the one issued to Australian-headquartered payments processor Tyro (The Register has previously contacted Tyro for comment, but received no response).
Last August, after being alerted by GitHub's security team that the certificate authority WoSign had errantly issued a certificate for a GitHub domain to someone other than GitHub, Google began an investigation in collaboration with the Mozilla Foundation and a group of security professionals into the company's certificate issuance practices. The investigation uncovered a pattern of bad practices at WoSign and its subsidiary StartCom dating back to the spring of 2015. As a result, Google moved last October to begin distrusting new certificates issued by the two companies, stating "Google has determined that two CAs, WoSign and StartCom, have not maintained the high standards expected of CAs and will no longer be trusted by Google Chrome."
WoSign (based in Shenzen, China) and StartCom (based in Eliat, Israel) are among the few low-cost certificate providers who've offered wildcard certificates. StartCom's StartSSL offers free Class 1 certificates, and $60-per-year wildcard certificates—allowing the use of a single certificate on multiple subdomains with a single confirmation. This made the service wildly popular. But bugs in WoSign's software allowed a number of misregistrations of certificates. One bug allowed someone with control of a subdomain to claim control of the whole root domain for certificates. The investigation also found that WoSign was backdating the SSL certificates it issued to get around the deadline set for certificate authorities to stop issuing SHA-1 SSL certificates by January 1, 2016. WoSign continued to issue the less secure SHA-1 SSL certificates well into 2016.