Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Mozilla Firefox to remove Wosign/StartSSL as a trusted Certificate Authority
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Mozilla Firefox to remove Wosign/StartSSL as a trusted Certificate Authority

The Mozilla Foundation is proposing (to some concrete degree) to begin distrusting Startcom and Wosign for their incredibly unethical business practices and continued failures to appropriately act in a transparent manner, in addition to numerous breaches of CA integrity.

I personally would recommend moving away from them in the future in case this actually goes through, and considering Wosign/Startcoms track record, it will eventually, if not soon.

https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ

https://wiki.mozilla.org/CA:WoSign_Issues

Thanked by 2eva2000 FlamesRunner

Comments

  • joepie91joepie91 Member, Patron Provider

    The important bits:

    We plan to distrust only newly-issued certificates [...] by examining the notBefore date in the certificates

    [...] if such additional back-dating is discovered (by any means), Mozilla will immediately and permanently revoke trust in all WoSign and StartCom roots.

    In other words: this is probably the end of StartCom/WoSign.

    Thanked by 1eva2000
  • Huh, surprised this isn't getting more attention considering that there's still a lot of folks using WoSign and StartSSL certificates for their websites.

  • schraugerschrauger Member
    edited September 2016

    It's too bad StartCom got bought by WoSign and ended up in this mess with them. I currently use WoSign (I think lowendtalk was the place I first heard of them), but I started with StartSSL/StartCom.

    Presumably, my certificate will continue to work for now, since Mozilla is saying they'll continue trusting WoSign certificates created before a certain date. But I've wanted to move to Lets Encrypt ever since they went public, so this is the added push I needed to get the ball rolling.

    P.S. I wrote a detailed account about one of their vulnerabilities that I found.

  • @schrauger said:
    It's too bad StartCom got bought by WoSign and ended up in this mess with them. I currently use WoSign (I think lowendtalk was the place I first heard of them), but I started with StartSSL/StartCom.

    Presumably, my certificate will continue to work for now, since Mozilla is saying they'll continue trusting WoSign certificates created before a certain date. But I've wanted to move to Lets Encrypt ever since they went public, so this is the added push I needed to get the ball rolling.

    P.S. I wrote a [detailed account][schrauger] about one of their vulnerabilities that I found.

    [schrauger]: https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-certificate-for-github-com

    Great read, thanks for sharing.

  • @schrauger said:
    Presumably, my certificate will continue to work for nowtheir vulnerabilities that I found.

    You may want to consider the fact that a number of people have blacklisted wosign and startcom CA certs in their browsers manually since this came to light

  • KobeKobe Member
    edited September 2016

    @mycosys said:

    @schrauger said:
    Presumably, my certificate will continue to work for nowtheir vulnerabilities that I found.

    You may want to consider the fact that a number of people have blacklisted wosign and startcom CA certs in their browsers manually since this came to light

    I'd say that's more of a minority than the majority of Mozilla users, but seeing as they're blocking only new certificates, I feel a lot more at ease regarding these certificates.

    In addition, the requirements for re-admittance to trusted CA root at Mozilla is pretty stringent for what it is, so it's probably still a wise idea to migrate away from WoSign/StartCom.

  • I've long since moved over to Let's Encrypt. Yea... The 90 day thing can be a pain. Until you get it automated anyways which is what I got going on. Script runs like once a week to check. That's usually plenty of time and gives it a couple of tries to get it in before expiring.

  • Apple says "fuck off" to WoSign too:

    Blocking Trust for WoSign CA Free SSL Certificate G2

    >

    Certificate Authority WoSign experienced multiple control failures in their certificate issuance processes for the WoSign CA Free SSL Certificate G2 intermediate CA. Although no WoSign root is in the list of Apple trusted roots, this intermediate CA used cross-signed certificate relationships with StartCom and Comodo to establish trust on Apple products.

    >

    In light of these findings, we are taking action to protect users in an upcoming security update. Apple products will no longer trust the WoSign CA Free SSL Certificate G2 intermediate CA.

    >

    To avoid disruption to existing WoSign certificate holders and to allow their transition to trusted roots, Apple products will trust individual existing certificates issued from this intermediate CA and published to public Certificate Transparency log servers by 2016-09-19. They will continue to be trusted until they expire, are revoked, or are untrusted at Apple’s discretion.

    >

    As the investigation progresses, we will take further action on WoSign/StartCom trust anchors in Apple products as needed to protect users.

    https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/lWJ1zdUJPLI

  • joepie91joepie91 Member, Patron Provider
    edited October 2016

    lbft said: To avoid disruption to existing WoSign certificate holders and to allow their transition to trusted roots, Apple products will trust individual existing certificates issued from this intermediate CA and published to public Certificate Transparency log servers by 2016-09-19.

    They're not fucking around, damn.

  • rm_rm_ IPv6 Advocate, Veteran
    edited October 2016

    published to public Certificate Transparency log servers by 2016-09-19

    Btw we can check if any particular WoSign cert is published there, via this Google's website. Also useful to verify there's no rogue certs for your domains issued by anyone. Just checked my WoSign ones, all are on the CT log, so I can just keep using them till expiration (almost 3 years remaining!)

  • I've been using startcom for several years now, have been using class two for just about 4 years. I really like the convenience of having wildcard certificates for my domain, but it looks like I'll be moving to Let's Encrypt soon. I refuse to spend $250+ for a wildcard for just one domain.

  • @CFarence said:
    I've been using startcom for several years now, have been using class two for just about 4 years. I really like the convenience of having wildcard certificates for my domain, but it looks like I'll be moving to Let's Encrypt soon. I refuse to spend $250+ for a wildcard for just one domain.

    Dude, they're sold legitimately for as low as $25 at some places

  • @classy said:

    @CFarence said:
    I've been using startcom for several years now, have been using class two for just about 4 years. I really like the convenience of having wildcard certificates for my domain, but it looks like I'll be moving to Let's Encrypt soon. I refuse to spend $250+ for a wildcard for just one domain.

    Dude, they're sold legitimately for as low as $25 at some places

    Didn't really look that hard, looked at RapidSSL, Namecheap, and Comodo.

    Cheapest I found was $49/year, still the $60 I spent at startcom got me 7 wildcard certificates each valid for 2 years.

  • @CFarence said:

    @classy said:

    @CFarence said:
    I've been using startcom for several years now, have been using class two for just about 4 years. I really like the convenience of having wildcard certificates for my domain, but it looks like I'll be moving to Let's Encrypt soon. I refuse to spend $250+ for a wildcard for just one domain.

    Dude, they're sold legitimately for as low as $25 at some places

    Didn't really look that hard, looked at RapidSSL, Namecheap, and Comodo.

    Cheapest I found was $49/year, still the $60 I spent at startcom got me 7 wildcard certificates each valid for 2 years.

    I think it's a shame the whole free SSL certs no strings attached and the verified ones got so messed up, a lot of users like you went through the annoying verification process, including fees, and are now left empty handed... :-(

    Thanked by 1thatix
  • @classy said:

    @CFarence said:

    @classy said:

    @CFarence said:
    I've been using startcom for several years now, have been using class two for just about 4 years. I really like the convenience of having wildcard certificates for my domain, but it looks like I'll be moving to Let's Encrypt soon. I refuse to spend $250+ for a wildcard for just one domain.

    Dude, they're sold legitimately for as low as $25 at some places

    Didn't really look that hard, looked at RapidSSL, Namecheap, and Comodo.

    Cheapest I found was $49/year, still the $60 I spent at startcom got me 7 wildcard certificates each valid for 2 years.

    I think it's a shame the whole free SSL certs no strings attached and the verified ones got so messed up, a lot of users like you went through the annoying verification process, including fees, and are now left empty handed... :-(

    I was using the free domain verified certs, but I run a lot of self hosted apps under many host names and got tired of managing many certificates. It sucks that wosign had to mess everything up. Let's Encrypt seems like my last option though most of my stuff is behind proxies and getting Let's Encrypt to verify was getting difficult when I tried it a few months ago. Hopefully things have improved since then.

Sign In or Register to comment.