Menu
Certificate policy violations force reform at StartCom and WoSign

Certificate policy violations force reform at StartCom and WoSign

The two CAs will be separated and their CEO will be replaced

The top management of StartCom and WoSign will be replaced and the two certificate authorities will undergo audits after browser vendors discovered that they mis-issued many digital certificates, violating industry rules.

The investigation launched by Mozilla led to the discovery of 13 instances where China-based WoSign and its subsidiary StartCom issued certificates with various types of problems. Evidence was also found that both CAs issued certificates signed with the SHA-1 algorithm after Jan. 1 in violation of industry rules and intentionally backdated them to avoid being caught.

As a result, Mozilla said that it has lost faith in the ability of WoSign and StartCom to correctly carry out the functions of a CA and announced that it will stop trusting new certificates from the two companies. Apple followed suit and announced its own ban for future WoSign and StartCom certificates last week.

WoSign provided explanations for all of the discovered issues in a detailed response Friday and admitted that it had issued 64 backdated certificates, 42 intentionally. This will cost the WoSign CEO, Richard Wang, his job.

"WoSign acknowledges it made a serious mistake of issuing 64 backdated certificates. It is the responsibility of the WoSign CEO to maintain technical and operational veracity according to CA standards (including no backdating) and there was a failure to do so," WoSign said in its response. "WoSign was contacted by customers requesting SHA-1 and WoSign made a mistake to approve of backdated certificates. During mid 2016, StartCom was contacted by Tyro for a SHA-1 certificate and Richard Wang approved the issuance, which was a mistake."

The company said that the decision to backdate certificates was taken to help desperate customers in China who could no longer obtain SHA-1 certificates and were having trouble supporting the millions of computers in the country that still use Windows XP with Service Pack 2.

Chinese Internet security company Qihoo 360, which owns a majority stake in WoSign and implicitly in StartCom, has stepped in and decided to separate the two CAs.

"360’s Corporate Development team has been notified to execute the process to legally separate Wosign and Startcom and to begin executing personnel reassignments," the company said. "StartCom’s chairman will be Xiaosheng Tan (Chief Security Officer of Qihoo 360). StartCom’s CEO will be Inigo Barreira (formerly GM of StartCom Europe). Richard Wang will be relieved of his duties as CEO of WoSign."

Qihoo 360 noted that StartCom has been operating as a compliant CA for many years and that its only error after being acquired by WoSign was to issue two backdated certificates with Wang's approval.

Because of this the company wants StartCom to be completely separated and to report directly to Qihoo. It also wants browser vendors to consider the repercussions for this incident separately for WoSign and StartCom. The latter is preparing its own response and go-forward plan.

StartCom was founded in 1999 in Israel and has been the first CA to offer free digital certificates. Most of the company's customers are from outside China, unlike WoSign's. A ban on future StartCom certificates would force many organizations in Europe, North America and elsewhere to search for new certificate providers when their existing certificates expire.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Sizing up the NZ security spectrum - Where's the channel sweet spot?

Sizing up the NZ security spectrum - Where's the channel sweet spot?

From new extortion schemes, outside threats and rising cyber attacks, the art of securing the enterprise has seldom been so complex or challenging. With distance no longer a viable defence, Kiwi businesses are fighting to stay ahead of the security curve. In total, 28 per cent of local businesses faced a cyber attack last year, with the number in New Zealand set to rise in 2017. Yet amidst the sensationalism, media headlines and ongoing high profile breaches, confusion floods the channel, as partners seek strategic methods to combat rising sophistication from attackers. In sizing up the security spectrum, this Reseller News roundtable - in association with F5 Networks, Kaspersky Lab, Tech Data, Sophos and SonicWall - assessed where the channel sweet spot is within the New Zealand channel. Photos by Maria Stefina.

Sizing up the NZ security spectrum - Where's the channel sweet spot?
Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Show Comments