Certificate policy violations force reform at StartCom and WoSign

The two CAs will be separated and their CEO will be replaced

The top management of StartCom and WoSign will be replaced and the two certificate authorities will undergo audits after browser vendors discovered that they mis-issued many digital certificates, violating industry rules.

The investigation launched by Mozilla led to the discovery of 13 instances where China-based WoSign and its subsidiary StartCom issued certificates with various types of problems. Evidence was also found that both CAs issued certificates signed with the SHA-1 algorithm after Jan. 1 in violation of industry rules and intentionally backdated them to avoid being caught.

As a result, Mozilla said that it has lost faith in the ability of WoSign and StartCom to correctly carry out the functions of a CA and announced that it will stop trusting new certificates from the two companies. Apple followed suit and announced its own ban for future WoSign and StartCom certificates last week.

WoSign provided explanations for all of the discovered issues in a detailed response Friday and admitted that it had issued 64 backdated certificates, 42 intentionally. This will cost the WoSign CEO, Richard Wang, his job.

"WoSign acknowledges it made a serious mistake of issuing 64 backdated certificates. It is the responsibility of the WoSign CEO to maintain technical and operational veracity according to CA standards (including no backdating) and there was a failure to do so," WoSign said in its response. "WoSign was contacted by customers requesting SHA-1 and WoSign made a mistake to approve of backdated certificates. During mid 2016, StartCom was contacted by Tyro for a SHA-1 certificate and Richard Wang approved the issuance, which was a mistake."

The company said that the decision to backdate certificates was taken to help desperate customers in China who could no longer obtain SHA-1 certificates and were having trouble supporting the millions of computers in the country that still use Windows XP with Service Pack 2.

Chinese Internet security company Qihoo 360, which owns a majority stake in WoSign and implicitly in StartCom, has stepped in and decided to separate the two CAs.

"360’s Corporate Development team has been notified to execute the process to legally separate Wosign and Startcom and to begin executing personnel reassignments," the company said. "StartCom’s chairman will be Xiaosheng Tan (Chief Security Officer of Qihoo 360). StartCom’s CEO will be Inigo Barreira (formerly GM of StartCom Europe). Richard Wang will be relieved of his duties as CEO of WoSign."

Qihoo 360 noted that StartCom has been operating as a compliant CA for many years and that its only error after being acquired by WoSign was to issue two backdated certificates with Wang's approval.

Because of this the company wants StartCom to be completely separated and to report directly to Qihoo. It also wants browser vendors to consider the repercussions for this incident separately for WoSign and StartCom. The latter is preparing its own response and go-forward plan.

StartCom was founded in 1999 in Israel and has been the first CA to offer free digital certificates. Most of the company's customers are from outside China, unlike WoSign's. A ban on future StartCom certificates would force many organizations in Europe, North America and elsewhere to search for new certificate providers when their existing certificates expire.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Brand Post

Bitdefender 2019

Bitdefender’s best-in-class security solutions have been awarded Product of the Year. Get cybersecurity that 500 MILLION users already have and trust!

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?