Firefox 58: Mozilla to Remove WoSign and StartCom Roots
What started in Firefox 51 ends in 58 as Mozilla removes a pair of disabled roots
The decline of WoSign and StartCom has been one of the bigger stories in the SSL industry over the past year or so, and his January will likely mark the final chapter. In a blog post written on August 30th on its Security Blog, Mozilla Program Manager Kathleen Wilson confirms the final phase of the plan: completely removing WoSign and StartCom’s root certificates from Mozilla’s root store in Firefox 58.
Mozilla, which is following the same action being taken by the other major browsers, announced its intention to remove the roots back in October of 2016, when it also announced that it would stop validating new certificates chaining to said root certificates. That change was made in Firefox 51.
As of January 2018, when Firefox 58 is released, Mozilla will have removed the roots from its trust store. Per Wilson:
“Websites using certificates chaining up to any of the following root certificates need to migrate to another root certificate.”
Mozilla will be removing the following root certificates in January 2018:
- CA 沃通根证书
- Certification Authority of WoSign
- Certification Authority of WoSign G2
- CA WoSign ECC Root
- StartCom Certification Authority
- StartCom Certification Authority G2
Why All the Distrust?
If you’re looking for the complete run-down of the WoSign/StartCom fiasco, Vince covered it pretty extensively:
- WoSign Mis-Issued SHA-1 SSL Certificate [Updated]
- Woes Worse for WoSign
- Root Programs Still Deciding the Fate of WoSign
- WoSign and StartCom to be Separated
If you’re looking for the short version, it’s this: WoSign and StartCom, which are basically the same company, got caught mis-issuing SSL certificates in order to circumvent CAB Forum standards. The CAB Forum is the congress of Web Browsers and Certificate Authorities that acts as the de facto regulatory body for the SSL industry.
After a series of meetings, WoSign’s CEO resigned and the browsers outlined a plan in which both CAs would be gradually distrusted until their roots would be removed from trust stores.
As Mozilla announced yesterday, the final deadline is in January.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown