Firefox 58: Mozilla to Remove WoSign and StartCom Roots
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Firefox 58: Mozilla to Remove WoSign and StartCom Roots

What started in Firefox 51 ends in 58 as Mozilla removes a pair of disabled roots

The decline of WoSign and StartCom has been one of the bigger stories in the SSL industry over the past year or so, and his January will likely mark the final chapter. In a blog post written on August 30th on its Security Blog, Mozilla Program Manager Kathleen Wilson confirms the final phase of the plan: completely removing WoSign and StartCom’s root certificates from Mozilla’s root store in Firefox 58.

Mozilla, which is following the same action being taken by the other major browsers, announced its intention to remove the roots back in October of 2016, when it also announced that it would stop validating new certificates chaining to said root certificates. That change was made in Firefox 51.

As of January 2018, when Firefox 58 is released, Mozilla will have removed the roots from its trust store. Per Wilson:

“Websites using certificates chaining up to any of the following root certificates need to migrate to another root certificate.”

Mozilla will be removing the following root certificates in January 2018:

  • CA 沃通根证书
  • Certification Authority of WoSign
  • Certification Authority of WoSign G2
  • CA WoSign ECC Root
  • StartCom Certification Authority
  • StartCom Certification Authority G2

Why All the Distrust?

If you’re looking for the complete run-down of the WoSign/StartCom fiasco, Vince covered it pretty extensively:

If you’re looking for the short version, it’s this: WoSign and StartCom, which are basically the same company, got caught mis-issuing SSL certificates in order to circumvent CAB Forum standards. The CAB Forum is the congress of Web Browsers and Certificate Authorities that acts as the de facto regulatory body for the SSL industry.

After a series of meetings, WoSign’s CEO resigned and the browsers outlined a plan in which both CAs would be gradually distrusted until their roots would be removed from trust stores.

As Mozilla announced yesterday, the final deadline is in January.


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.