Certificate policy violations force reform at StartCom and WoSign

The two CAs will be separated and their CEO will be replaced

The top management of StartCom and WoSign will be replaced and the two certificate authorities will undergo audits after browser vendors discovered that they mis-issued many digital certificates, violating industry rules.

The investigation launched by Mozilla led to the discovery of 13 instances where China-based WoSign and its subsidiary StartCom issued certificates with various types of problems. Evidence was also found that both CAs issued certificates signed with the SHA-1 algorithm after Jan. 1 in violation of industry rules and intentionally backdated them to avoid being caught.

As a result, Mozilla said that it has lost faith in the ability of WoSign and StartCom to correctly carry out the functions of a CA and announced that it will stop trusting new certificates from the two companies. Apple followed suit and announced its own ban for future WoSign and StartCom certificates last week.

WoSign provided explanations for all of the discovered issues in a detailed response Friday and admitted that it had issued 64 backdated certificates, 42 intentionally. This will cost the WoSign CEO, Richard Wang, his job.

"WoSign acknowledges it made a serious mistake of issuing 64 backdated certificates. It is the responsibility of the WoSign CEO to maintain technical and operational veracity according to CA standards (including no backdating) and there was a failure to do so," WoSign said in its response. "WoSign was contacted by customers requesting SHA-1 and WoSign made a mistake to approve of backdated certificates. During mid 2016, StartCom was contacted by Tyro for a SHA-1 certificate and Richard Wang approved the issuance, which was a mistake."

The company said that the decision to backdate certificates was taken to help desperate customers in China who could no longer obtain SHA-1 certificates and were having trouble supporting the millions of computers in the country that still use Windows XP with Service Pack 2.

Chinese Internet security company Qihoo 360, which owns a majority stake in WoSign and implicitly in StartCom, has stepped in and decided to separate the two CAs.

"360’s Corporate Development team has been notified to execute the process to legally separate Wosign and Startcom and to begin executing personnel reassignments," the company said. "StartCom’s chairman will be Xiaosheng Tan (Chief Security Officer of Qihoo 360). StartCom’s CEO will be Inigo Barreira (formerly GM of StartCom Europe). Richard Wang will be relieved of his duties as CEO of WoSign."

Qihoo 360 noted that StartCom has been operating as a compliant CA for many years and that its only error after being acquired by WoSign was to issue two backdated certificates with Wang's approval.

Because of this the company wants StartCom to be completely separated and to report directly to Qihoo. It also wants browser vendors to consider the repercussions for this incident separately for WoSign and StartCom. The latter is preparing its own response and go-forward plan.

StartCom was founded in 1999 in Israel and has been the first CA to offer free digital certificates. Most of the company's customers are from outside China, unlike WoSign's. A ban on future StartCom certificates would force many organizations in Europe, North America and elsewhere to search for new certificate providers when their existing certificates expire.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleMozillaWang

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place