Monday, October 31, 2016

Google and Mozilla announced distrust of WoSign and StartCom

Google stated that 
Beginning with Chrome 56, certificates issued by WoSign and StartCom after October 21, 2016 00:00:00 UTC will not be trusted.
Mozilla stated that
If you receive a certificate from one of these two CAs after October 21, 2016, your certificate will not validate in Mozilla products such as Firefox 51 and later.
Apple already distrusted WoSign but has so far took no action for StartCom.

Microsoft has made no announcement regarding WoSign or StartCom. I called for Microsoft to distrust WoSign and StartCom to follow the same steps taken by other root stores to protect its users.

Saturday, October 1, 2016

Apple announces block of WoSign

In light of Mozilla's findings listed https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/preview and https://wiki.mozilla.org/CA:WoSign_Issues, Apple has decided to block WoSign from its products.

In light of these findings, we are taking action to protect users in an upcoming security update.  Apple products will no longer trust the WoSign CA Free SSL Certificate G2 intermediate CA.
To avoid disruption to existing WoSign certificate holders and to allow their transition to trusted roots, Apple products will trust individual existing certificates issued from this intermediate CA and published to public Certificate Transparency log servers by 2016-09-19. They will continue to be trusted until they expire, are revoked, or are untrusted at Apple’s discretion. https://support.apple.com/en-us/HT204132 
I applaud Apple's swift action and hope other browser vendors follow up as soon as possible. Mozilla's final decision is pending till Qihoo 360 (WoSign's dominant share holder), StartCom and Mozilla's in person meeting next Tuesday.