Batu69 Posted September 27, 2016 Share Posted September 27, 2016 Mozilla may also ban StartCom certificates as well Mozilla is pondering applying a one-year-long ban on all newly issued SSL certificates from Chinese CA (Certificate Authority) WoSign, and Israeli CA StartCom, which WoSign appears to have secretly bought last year. Mozilla's engineers announced the potential ban following an investigation into a series of suspicious SSL SHA-1 certificates issued by both companies. The full investigation report can be read below this article. Both CAs have tried to avoid the SHA-1 ban The issues revolve around a common decision that browser makers took last year, to stop accepting SSL certificates signed via the ancient SHA-1 algorithm starting with January 1, 2016. Mozilla is accusing WoSign that they've been issuing SHA-1-signed certificates and back-dating them to December 2015. While Mozilla has allowed other CAs to issue SHA-1 certificates after January 1, 2016, for example Symantec, they only allowed it if the CA went through a complex approval process, which apparently WoSign has dodged. WoSign has hidden the StartCom acquisition Furthermore, WoSign seems to negate that it bought Israeli CA StartCom. Mozilla says, backed up by a Hebrew-speaking lawyer, that WoSign has 100 percent ownership over the Israeli CA since November 1, 2015. To back up is claims, Mozilla revealed technical details that sustain its statements, showing that StartCom has started issuing certificates using WoSign's infrastructure. Mozilla also accused StartCom of engaging in back-dating 2016 SHA-1 certificates to December 2015, just like WoSign. The Foundation's security engineers detail one case where this has happened. StartCom has also back-dated SHA-1-signed certificates The Mozilla investigation uncovered how Tyro, a payments processor that has worked with the GeoTrust CA for years, has all of a sudden deployed an SHA-1-signed certificate in the middle of June using StartCom, a CA it never worked with. The certificate was dated as issued on December 20, 2015, a date on which Mozilla engineers found that StartCom has issued a large number of SHA-1-signed certificates. Mozilla discovered that companies deployed these certificates in the middle of 2016, and not right away, a clear sign that they were back-dated to avoid the SHA-1 ban. These incidents and many more are now making Mozilla engineers ponder the idea of untrusting WoSign and StartCom SSL certificates in Mozilla for a year. A permanent ban may be appplied Mozilla says this temporary ban will be applied only to newly issued certificates from both companies, and not to certificates already deployed at their customers. If the two companies don't pass a series of tests after the one-year ban, Mozilla is ready to ban all certificates from both companies for good. "Many eyes are on the Web PKI and if such additional back-dating is discovered (by any means), Mozilla will immediately and permanently revoke trust in all WoSign and StartCom roots," the report says. Furthermore, a ban in Chrome and other products is also on the table. "While other browser vendors and root store operators will need to make their own decisions, we have laid out the information in this document so that they will understand the basis on which we have made our decision and can make their own decisions accordingly," Mozilla said. Article source Link to comment Share on other sites More sharing options...
Administrator DKT27 Posted September 27, 2016 Administrator Share Posted September 27, 2016 Good work by Mozilla. While it seems these newer certificates might be expensive or might be having some problems to deploy, otherwise why would companies buy such ones, but, why take a risk on security here. Link to comment Share on other sites More sharing options...
straycat19 Posted September 27, 2016 Share Posted September 27, 2016 I checked some of my personal computers and only found one StartCom Certificate that was issued in 2007 and expires in 2024. Here is the information you need to look at the certificates you may have and how to remove any that you don't want. How to Remove an SSL Certificate Secure Socket Layer certificates make it possible to encrypt data transmitted between your computer and an external website. In most cases, you shouldn't need to remove an SSL certificate unless you find out the website used a fraudulent certificate or an expired certificate is preventing you from accessing certain areas of the website. Internet Explorer 11, Chrome and Firefox all use a slightly different process for removing a certificate. INTERNET EXPLORER STEP 1 Click the "Tools" menu and select "Internet Options" in Internet Explorer 11. STEP 2 Select the "Content" tab and choose the "Certificates" button. STEP 3 Choose the certificate you want to remove and click the "Remove" button. CHROME STEP 1 Select the Chrome menu icon on the toolbar. It looks like a set of three horizontal bars. STEP 2 Choose "Settings." STEP 3 Select the "Show Advanced Settings..." link. STEP 4 Select the "Manage Certificates..." button in the HTTPS/SSL section. STEP 5 Click "Certificates" to filter the results to show only SSL certificates. STEP 6 Right-click the certificate you want to delete and select the "Delete" option. FIREFOX STEP 1 Launch Firefox, select the "Tools" menu and choose "Options." On a Mac, select "Firefox" and choose "Preferences." STEP 2 Click the "Advanced" tab. STEP 3 Select the "Certificates" tab and choose "View Certificates" to access the SSL certificates added to your system. STEP 4 Choose the certificate you want to delete and select the "Delete..." button. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.