WoSign and StartCom to be Separated
WoSign’s CEO Richard Wang to Step Down Following Mis-Issuance.
Last week, Mozilla met with representatives from WoSign and StartCom to discuss their mis-issuances and violations of industry standards, including intentional circumvention of standards set by the Certificate Authority & Browser Forum (CA/B Forum) which all CA’s abide by to remain “trusted” issuers of SSL certificates.
The meeting marked yet another stage in what has been a long investigation intoviolations by both CAs. QiHoo 360, a major Chinese security firm, that owns both CAs, also attended.
Afterward, QiHoo 360 issued an updated incident report and proposal for fixing the issues at both CAs.
WoSign is now admitting that it back-dated 64 certificates and signed them with the now-outmoded SHA-1 hashing algorithm. Some of these – most notably certificates for the Australian payment processor Tyro.com – were intentionally back-dated with approval from Richard Wang, WoSign’s CEO.
As a result, Richard Wang will be replaced as the CEO of WoSign, a position he held for 14 years according to LinkedIn. His replacement has not yet been named.
In addition, StartCom will be legally separated from WoSign—both CAs will now be individually owned by QiHoo 360. It may seem as though this is just a detail for the corporate lawyers to worry about, but the operation of a CA is material to discussions of mis-issuance and sanctions.
Currently, there is ongoing debate on Mozilla’s Security Policy mailing list about whether WoSign and StartCom should be punished separately, or as one entity.
There is no debate about whether WoSign is guilty of serious misconduct. Under the leadership of Richard Wang, WoSign was mis-managed, intentionally back-dated certificates, and put extremely flawed software into production.
Two of the most serious violations – the failures of the StartEncrypt software – which improperly implemented domain validation, allowing anyone to get certificates for certain sites – and the Tyro.com certificate technically committed by StartCom, under their name and root certificates.
But, is StartCom equally guilty?
Both those violations occurred under the leadership – and with the approval – of WoSign and Richard Wang.
Are these violations an extension of WoSign’s problems? Or is StartCom on the hook, regardless of who was operating the company at that time? If the two CAs are separated again, is there any reason to believe that StartCom will continue to be a threat to the Web PKI ecosystem?
In its report, QiHoo 360 wrote, “StartCom has been operating as a compliant, separate CA for many years and the only noted issue with StartCom (two backdated certificates issued in July 2016) was an action approved by WoSign CEO Richard Wang.”
Inigo Barreira (who worked for the Spanish CA Izenpe and recently joined StartCom) will become StartCom’s new CEO.
In addition to the new leadership, StartCom’s issuance systems will also be separated from WoSign’s. Mozilla has pointed to the unified software and issuance practices of WoSign and StartCom as evidence that the two CAs were virtually identical and should be treated as such.
There is good reason to believe that restoring StartCom’s independence and new leadership could sort out the CAs problems. But those arguing for equal punishment of both WoSign and StartCom are concerned about letting CAs off too lightly for major policy violations, and do not want to encourage companies that own multiple CAs to play complicated games with their legal registration and organizational structure to reduce risk in the event of violations.
QiHoo 360 would prefer sanctions against WoSign and Startcom to be “considered separately.” It is hoping to show the industry that by recognizing and separating the two CAs, they are committed to fixing the problems that have beset both companies.
Mozilla has said it will “consider” treating the two companies separately, although, “that does not preclude the possibility that [it] might decide to take the same action for both of them.”
Apple’s Root Program, which is rarely active in public debate, has already taken action and has spared StartCom (for now). The other major root programs – Google and Microsoft – are still undecided.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown