Mozilla plan to distrust StartCom/WoSign Certificates

Mozilla have released the details of their investigation in to WoSign and StartCom (better known as StartSSL). In short they plan to announce a date where newly issued WoSign and StartCom issued certificates will no longer be trusted.

Mozilla Announcement

Currently it is only Mozilla talking about distrusting these certificates which will affect FireFox users. However as the details of the CA Browser Forum breaches are absorbed by the community it is possible the CAB forum itself may introduce a wider distrust and all browsers begin to distrust certificates issued by them. Chrome forums are already discussing the possibility of similar action.

The CA Browser Forum is a collective of Certificate Authorities and Browser vendors. They decide on standards across the industry for certificate issuance. WoSign and StartCom were members of the forum but failed to mention that WoSign had purchased 100% of StartCom. For a period of time this meant the had two votes within the CAB forum. This has been resolved and previous votes verified.

However as the report by Mozilla details WoSign and by association StartCom have breached many of the CAB Forum guidelines. Including issuing SHA-1 certificates after 1 January 2016 and back dating these certificates to ensure they would function in browsers. Mozilla has also lost complete trust in the CA’s validation process.

Essentially Mozilla has decided that they will determine a future date whereby all newly issued certificates by StartCom and WoSign will no longer be trusted.