Mozilla plan to distrust StartCom/WoSign Certificates

Andy Gambles
Sep 26, 2016 · 2 min read

Mozilla have released the details of their investigation in to WoSign and StartCom (better known as StartSSL). In short they plan to announce a date where newly issued WoSign and StartCom issued certificates will no longer be trusted.

Mozilla Announcement

Currently it is only Mozilla talking about distrusting these certificates which will affect FireFox users. However as the details of the CA Browser Forum breaches are absorbed by the community it is possible the CAB forum itself may introduce a wider distrust and all browsers begin to distrust certificates issued by them. Chrome forums are already discussing the possibility of similar action.

The CA Browser Forum is a collective of Certificate Authorities and Browser vendors. They decide on standards across the industry for certificate issuance. WoSign and StartCom were members of the forum but failed to mention that WoSign had purchased 100% of StartCom. For a period of time this meant the had two votes within the CAB forum. This has been resolved and previous votes verified.

However as the report by Mozilla details WoSign and by association StartCom have breached many of the CAB Forum guidelines. Including issuing SHA-1 certificates after 1 January 2016 and back dating these certificates to ensure they would function in browsers. Mozilla has also lost complete trust in the CA’s validation process.

Essentially Mozilla has decided that they will determine a future date whereby all newly issued certificates by StartCom and WoSign will no longer be trusted.


Stories from the world of

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store