StartCom to shut down, all certificates revoked in 2020

Embattled Chinese certificate authority could not recover from blacklistings by browser makers.
Written by Chris Duckett, Contributor

StartCom has announced it will stop issuing new certificates at the end of 2017, as the business is set for termination in 2020.

The Chinese certificate authority said it was unable to recover from the lost of trust in its certificates, and those of its parent company WoSign, by all four major browser makers.

"Around a year ago the majority of the browser makers decided to distrust StartCom, remove the StartCom root certificates from their root stores, and not accept newly end entity certificates issued by StartCom," the company said in a statement.

"Despite the efforts made during this time by StartCom, up to now, there has not been any clear indication from the browsers that StartCom would be able to regain the trust. Therefore, the owners of StartCom have decided to terminate StartCom as a Certification Authority."

According to the company, it will cease creating new certificates from the start of 2018, and only provide validation services for two years. In 2020, all certificates will be revoked.

In September 2016, Mozilla kicked off the process of distrusting certificates from WoSign and StartCom. Over the course of the next year, Google and Apple followed Mozilla's lead.

StartCom and WoSign are not the only companies to have their certificates distrusted, with Symantec also having its TLS certificates blacklisted. Google has said it will remove trust from Symantec certificates issued prior to June 1, 2016 when Chrome 66 is released in April 2018.

In August, Symantec sold its website security business to DigiCert, with the deal having closed on October 31. The terms of the deal see Symantec receive $950 million in cash upfront, and gain a 30 percent stake in DigiCert.

Updated 10:18pm AEDT, November 21, 2017: Added DigiCert deal closed on October 31 .

Related Coverage

Bug bounty hunter reveals DJI SSL, firmware keys have been public for years

Opinion: The researcher has discarded $30,000 to ensure there is full public disclosure of the drone maker's poor security and revealing how not every bug bounty hunt ends well.

Project Zero calls out Kaspersky AV for SSL interception practices

Using an SSL proxy that simplistically stored certificates, Kaspersky Anti-Virus left its users open to TLS certificate collisions.

Cybersecurity predictions for 2018: it's going to be "a lot more of the same" (TechRepublic)

Forcepoint's Richard Ford predicts the types of cyberattacks that might plague businesses in the upcoming year.

Amazon S3 adds encryption, more security features (TechRepublic)

A host of new features for Amazon Simple Storage Service will help customers store and manage their data safely as possible, the company announced Tuesday.

How Cloudflare uses lava lamps to encrypt the Internet

Cloudflare's encryption secret? Gelatinous floating blobs.

Editorial standards