StartCom SSL has announced that it will no longer issue new digital certificates as of January 1, 2018, effectively closing the company, though CRL and OCSP services will continue for another two years until StartCom\u2019s three roots expire in 2020.<\/p>\n
This marks the end of an odd, perhaps even cautionary tale of how a once-trusted CA went kaput within about a year of the browsers distrusting it. Seriously, this would actually make for some pretty compelling drama because what happened to StartCom feels straight out of the pages of a novel. <\/span><\/p>\n StartCom SSL started off humbly enough in Israel as a small regional CA specializing in the Start SSL certificate, which was initially trusted around 2009\/2010. That\u2019s where the touchy-feely stuff ends though, as it was revealed by Mozilla in 2016 that the CA had been secretly acquired by the Chinese Certification Authority WoSign<\/a> Limited through multiple companies.<\/p>\n This is where the mistakes started getting made. Not so much by the StartCom founders (though it sounds like they may share some blame, too<\/a>), but by WoSign and its now deposed CEO, Richard Wang (if you\u2019re feeling particularly juvenile, I\u2019ll let you have a moment to enjoy that name).<\/p>\n If you\u2019ve been a reader of the blog for a while, you\u2019ll remember we covered WoSign\u2019s many mistakes in depth last yea<\/a>r. But, if you need a refresher, it goes something like this:<\/p>\n WoSign was caught backdating SSL certificates so that it could sign them with the SHA-1 hashing algorithm and not have them be detected by browsers. This is a big no-no, mostly because it\u2019s patently unsafe, but also because the browsers really don\u2019t like it when you try to trick them.<\/p>\n<\/span><\/span>\n SHA-1, short for Secure Hash Algorithm 1, is a cryptographic hash function that was originally designed by the NSA. Unfortunately, it was deprecated a couple of years ago. Industry standards now demand that all SSL certificates be signed using SHA-2, its successor.<\/p>\n WoSign knew that it wasn\u2019t supposed to be issuing SSL certificates that still use SHA-1, it knew that any SHA-1 certificate issued after the deadline wouldn\u2019t be publicly trusted by the web browsers. So, WoSign got sneaky and backdated a bunch of them to try to get them by the browsers unnoticed.<\/p>\n Unfortunately, Mozilla figured it out.<\/p>\n Well, during the investigation into WoSign\u2019s mis-issuances, Mozilla was able to essentially discern that WoSign had acquired StartCom via various publicly available business documents and by investigating the back end systems that the two companies were using.<\/p>\n This is where things started breaking down for StartCom.<\/p>\n First of all, WoSign and StartCom, though not in violation of any laws, seemed to have little interest in transparency. Despite evidence to the contrary, WoSign\u2019s CEO, Mr. Wang, continued to say no acquisition had occurred and the two CAs continued to vote in the CA\/B Forum \u2013 the industry\u2019s regulatory body \u2013 as separate entities despite effectively being a single company.<\/p>\nHow Did StartCom SSL Get Here?<\/h2>\n
So, How does StartCom SSL Fit In?<\/h2>\n