Stay away from Certificate Authority WoSign/StartCom

Estimated reading time: 2 minutes.

A litany of abuse and incompetence has prompted Mozilla to completely distrust security certificates from Certificate Authority (CA) WoSign in Firefox.

Starting with Firefox 51, the browser will no longer trust WoSign or StartCom certificates. According to Mozilla: “If you receive a certificate from one of these two CAs after October 21, 2016, your certificate will not validate in Mozilla products such as Firefox 51 and later, until these CAs provide new root certificates with different Subject Distinguished Names, and you manually import the root certificate that your certificate chains up to. Consumers of your website will also have to manually import the new root certificate until it is included by default in Mozilla’s root store.

WoSign/StartCom can dig themselves out of this hole by applying for inclusion of new (replacement) root certificates, and there’s little doubt that they will pursue this course. But should anyone really trust their security and privacy to this company? I sure won’t, especially when there are excellent free alternatives like Let’s Encrypt.

Mozilla has been tracking WoSign’s failures since the beginning of 2015, recording their observations on their corporate wiki site.

The most recent example of WoSign’s failings stems from their acquisition of CA StartCom in November of 2015. WoSign failed to disclose the acquisition, then lied about it.

On a related note, Mozilla will also no longer accept audits performed by the consulting firm Ernst and Young (Hong Kong). That’s the company that failed to catch several of WoSign’s worst abuses. This is personally amusing to me, since I’ve had dealings with Ernst and Young that were somewhat less than positive.

Update 2016Nov01: Google is following Mozilla’s lead and removing trust for WoSign and StartCom certificates in Chrome, starting with Chrome 56.

About jrivett

Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

Leave a Reply