SoylentNews
SoylentNews is people
https://soylentnews.org/

Title    Google Drops the Boom on WoSign, StartCom Certs for Good
Date    Monday July 24 2017, @05:40AM
Author    mrpg
Topic   
from the who-watches-the-watchers dept.
https://soylentnews.org/article.pl?sid=17/07/23/2310204

Fnord666 writes:

Last August, after being alerted by GitHub's security team that the certificate authority WoSign had errantly issued a certificate for a GitHub domain to someone other than GitHub, Google began an investigation in collaboration with the Mozilla Foundation and a group of security professionals into the company's certificate issuance practices. The investigation uncovered a pattern of bad practices at WoSign and its subsidiary StartCom dating back to the spring of 2015. As a result, Google moved last October to begin distrusting new certificates issued by the two companies, stating "Google has determined that two CAs, WoSign and StartCom, have not maintained the high standards expected of CAs and will no longer be trusted by Google Chrome."

WoSign (based in Shenzen, China) and StartCom (based in Eliat, Israel) are among the few low-cost certificate providers who've offered wildcard certificates. StartCom's StartSSL offers free Class 1 certificates, and $60-per-year wildcard certificates—allowing the use of a single certificate on multiple subdomains with a single confirmation. This made the service wildly popular. But bugs in WoSign's software allowed a number of misregistrations of certificates. One bug allowed someone with control of a subdomain to claim control of the whole root domain for certificates. The investigation also found that WoSign was backdating the SSL certificates it issued to get around the deadline set for certificate authorities to stop issuing SHA-1 SSL certificates by January 1, 2016. WoSign continued to issue the less secure SHA-1 SSL certificates well into 2016.

Source: Google drops the boom on WoSign, StartCom certs for good

Previously:
Heads Roll as Qihoo 360 Moves to End Wosign, Startcom Certificate Row
Game Over for WoSign and StartCom Certificate Authorities?


Original Submission

Links

  1. "Fnord666" - https://soylentnews.org/~Fnord666/
  2. "errantly issued a certificate for a GitHub domain to someone other than GitHub" - https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-certificate-for-github-com
  3. "dating back to the spring of 2015" - https://wiki.mozilla.org/CA:WoSign_Issues
  4. "distrusting new certificates issued by the two companies" - https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
  5. "WoSign" - https://www.wosign.com/english/root.htm
  6. "StartCom" - https://www.startcomca.com/
  7. "backdating the SSL certificates it issued" - https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
  8. "less secure SHA-1 SSL certificates" - https://arstechnica.com/security/2016/05/microsoft-to-retire-support-for-sha1-certificates-in-the-next-4-months/
  9. "Google drops the boom on WoSign, StartCom certs for good" - https://arstechnica.com/information-technology/2017/07/google-drops-the-boom-on-wosign-startcom-certs-for-good/
  10. "Heads Roll as Qihoo 360 Moves to End Wosign, Startcom Certificate Row" - https://soylentnews.org/article.pl?sid=16/10/11/0317214
  11. "Game Over for WoSign and StartCom Certificate Authorities?" - https://soylentnews.org/article.pl?sid=16/09/27/0142212
  12. "Original Submission" - https://soylentnews.org/submit.pl?op=viewsub&subid=21391

© Copyright 2018 - SoylentNews, All Rights Reserved

printed from SoylentNews, Google Drops the Boom on WoSign, StartCom Certs for Good on 2018-01-22 18:35:29