Mozilla slaps ban on China's WoSign: Firefox drops trust for certs over 'deception'

Mozilla has now set a date for a ban on all new HTTPS certificates from WoSign, just as Google unveils a major expansion of its Certificate Transparency program.
Written by Liam Tung, Contributing Writer

Firefox-maker Mozilla will ban newly-issued digital certificates from WoSign and StartCom from January.

Image: ZDNet/Mozilla

Starting in January, any website using a new certificate from Qihoo 360-owned certificate authority WoSign will have troubles reaching Firefox users.

Firefox-maker Mozilla announced on Tuesday it will ban newly-issued digital certificates from WoSign and StartCom, an Israel-based certificate authority that the Chinese firm recently acquired.

The move follows a damning report published by Mozilla last month accusing WoSign of backdating certificates to circumvent an industry-wide effort to phase out HTTPS certificates signed with the outdated SHA-1 algorithm.

CAs, such as WoSign, were not supposed to issue SHA-1 signed certificates after January 1. WoSign backdated a number of certificates to appear as if they were issued in December, 2015.

Mozilla last month proposed a one-year ban on newly-issued WoSign certificates but hadn't set a date for its introduction. The new commitment to follow through with the ban comes despite last-ditch efforts by Qihoo 360 to avert it.

Mozilla has now opted to distrust WoSign and StartCom certificates generated after October 21. The action takes effect in Firefox 51, which is due on January 24, 2017.

Mozilla's other gripe with WoSign was the certificate authority's persistent denial of its ownership of StartCom.

"The levels of deception demonstrated by representatives of the combined company have led to Mozilla's decision to distrust future certificates chaining up to the currently-included WoSign and StartCom root certificates," Mozilla's security team wrote.

On realizing the severity of Mozilla's threat, Qihoo 360 offered to fire WoSign's CEO Richard Wang, and appoint Qihoo 360 chief security officer Xiaosheng Tan as chairman of StartCom.

WoSign vowed to use the Google-backed system of Certificate Transparency (CT) to log existing and new certificates. Google's CT logs offer an independent source to audit CAs and keep check on them in the event that one goes rogue or is hacked, such as occurred to Dutch CA DigiNotar in 2011.

More recently Google demanded that all Symantec certificates issued after June 1 support CT after it was caught out issuing bogus certificates for Google domains.

WoSign for its part said it had voluntarily posted all SSL (HTTPS) certificates to Google's CT log server on July 5, 2016.

The company would probably have had to do that anyway in coming months with Google this week announcing a major expansion of its CT program.

Google now expects all publicly-trusted website certificates issued after September 2017 to comply with Chrome's CT policy for them to be trusted by Chrome.

"The use of Certificate Transparency has profoundly altered how browsers, site owners, and relying parties are able to detect and respond to misissuance, and importantly, gives new tools to mitigate the damage caused when a CA no longer complies with community expectations and browser programs," said Ryan Sleevi, a Google software engineer.


Editorial standards