Mozilla is at the point of banning Chinese certificate authority WoSign due to a number of violations, including backdating SHA -1 certificates in order to subvert deprecating certs from being trusted.
According to a report published by Mozilla on Monday, WoSign failed to report its acquisition of SmartCom and has also been accused of mis-issuing digital certificates for GitHub, allowing arbitrary domain names to be securely signed without ever performing any type of validation.
“Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA,” they went on to add “Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands.” Reads the report published by Mozilla.
In order to avoid impacting existing users, Mozilla has said that they will only distrust newly issued certificates as both CAs have to date issued a large number of certificates.
“Mozilla believes that continued public trust in the correct working of the CA certificate system is vital to the health of the Internet, and we will not hesitate to take steps such as those outlined above to maintain that public trust,” Mozilla said. “We believe that the behavior documented here would be unacceptable in any CA, whatever their nationality, business model or position in the market.”
SHA-1 has been long considered a weak algorithm and most of the major players in the browser market are taking steps to phase out its integration.
Microsoft looks poised to phase out the outdated algorithm on their Edge and Internet Explorer products in February of next year, with Mozilla’s Firefox and Google’s Chrome browsers not trusting any SHA-1 certificates with a notBefore date of January 1st 2016.
Mozilla commented that unscrupulous Certificate Authorities could backdate their certificates in order to bypass this restriction, something that WoSign have been found culpable of on 62 certificates that were issued in 2016.
Their investigation reported that a number of certificates were found containing as issue date of December 20th 2015 which contradicts their typical patterns of assignment during working days.
“We think it is highly unlikely that WoSign employees decided to go to work on that particular Sunday for a marathon 24-hour period and approve an unprecedented number of Type Y certificate requests,” Mozilla said. “We think it is more plausible that for those certificates, the notBefore date does not reflect the actual date of certificate creation, and that these certificates were created in 2016 (or the last day of 2015) and back-dated.”
Written by: Steven Boyd
Steven is a security consultant, researcher, ethical hacker and freelance writer with over 16 years of experience in the industry. He has provided security consultancy to some of the world’s biggest banks, the private sector as well as public services and defense. He is the owner and creator of security blog www.CybrViews.com.
(Security Affairs – Mozilla, PKI)