Despite revoked CA’s, StartCom and WoSign continue to sell certificates

Mattias Geniar, Tuesday, January 17, 2017 - last modified: Thursday, February 2, 2017

As it stands, the HTTPs "encrypted web" is built on trust. We use browsers that trust that Certificate Authorities secure their infrastructure and deliver TLS certificates (1) after validating and verifying the request correctly.

It's all about trust. Browsers trust those CA root certificates and in turn, they accept the certificates that the CA issues.

Update: it's less bad than it sounds, see comments below.

(1) Let's all agree to never call it SSL certificates ever again.

Revoking trust

Once in a while, Certificate Authorities misbehave. They might have bugs in their validation procedures that have lead to TLS certificates being issued where the requester had no access to. It's happened for Github.com, Gmail, ... you can probably guess the likely targets.

When that happens, an investigation is performed -- in the open -- to ensure the CA has taken adequate measures to prevent it from happening again. But sometimes, those CA's don't cooperate. As is the case with StartCom (StartSSL) and WoSign, which in the next Chrome update will start to show as invalid certificates.

Google has determined that two CAs, WoSign and StartCom, have not maintained the high standards expected of CAs and will no longer be trusted by Google Chrome, in accordance with our Root Certificate Policy.

This view is similar to the recent announcements by the root certificate programs of both Apple and Mozilla.

Distrusting WoSign and StartCom Certificates

So Apple (Safari), Mozilla (Firefox) and Google (Chrome) are about to stop trusting the StartCom & WoSign TLS certificates.

From that point forward, those sites will look like this.

With Mozilla, Chrome & Safari, that's 80% of the browser market share blocking those Certificate Authorities.

Staged removal of CA trust

Chrome is handling the update sensibly, it'll start distrusting the most recent certificates first, and gradually block the entire CA.

Beginning with Chrome 56, certificates issued by WoSign and StartCom after October 21, 2016 00:00:00 UTC will not be trusted. [..]

In subsequent Chrome releases, these exceptions will be reduced and ultimately removed, culminating in the full distrust of these CAs.

Distrusting WoSign and StartCom Certificates

If you purchased a TLS certificate from either of those 2 CAs in the last 2 months, it won't work in Chrome, Firefox or Safari.

Customer Transparency

Those 3 browsers have essentially just bankrupted those 2 CA's. Surely, if your certificates are not going to be accepted by 80% of the browsers, you're out of business -- right?

Those companies don't see it that way, apparently, as they still sell new certificates online.

This is pure fraud: they're willingly selling certificates that are known to stop working in all major browsers.

Things like that piss me of, because only a handful of IT experts know that those Certificate Authorities are essentially worthless. But they're still willing to accept money from unsuspecting individuals wishing to secure their sites.

I guess they proved once again why they should be distrusted in the first place.

Guilt by Association

Part of the irony is that StartCom, which runs StartSSL, didn't actually do anything wrong. But a few years ago, they were bought by WoSign. In that process, StartCom replaced its own process and staff with those of WoSign, essentially copying the bad practices that WoSign had.

If StartCom hadn't been bought by WoSign, they'd still be in business.

I'm looking forward to the days when we have an easy-to-use, secure, decentralized alternative to Certificate Authorities.

Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

akafusi Tuesday, January 17, 2017 at 14:10 - Reply

” I guess they proved once again why they should be distrusted in the first place. ” It’s funny, they are very artful.

Alan Tuesday, January 17, 2017 at 14:13 - Reply

WoSign: updated report and discussion

WoSign will resell other trusted CA’s SSL certificate to our customers
to provide best product and best service to our customers.

trumbaut Wednesday, January 18, 2017 at 12:55 - Reply

I agree StartCom’s communication is not what you can expect. However, they do communicate about this issue (nuancing the verdict above a little bit):

– Right below their product table (of which you made a screenshot), there is a little but important notice:

“Currently, in case of requesting SSL certificates only, StartCom is offering the validation for free.
For other types of certificate, StartCom will still charge for the validation.”.

– On their public news channel, they provide some information (https://startssl.com/NewsDetails?date=20161103).
– Once logged in to their control panel, we have some more details:

“Currently, in case of requesting SSL certificates only, StartCom is offering the validation for free. For other types of certificate, StartCom will still charge for the validation.

If your purpose for validation is to get Code Signing certificate or client certificate, please process the payment of the validation fee by “Tool Box – My Balance – Recharge”.Thanks.

Notice:
1. Mozilla and Google decided to distrust all StartCom root certificates as of 21st of October, this situation will have an impact in the upcoming release of Firefox and Chrome in January. Apple’s decision announced on Nov 30th of distrusting all StartCom root certificates as of 1st of December will have an impact in their upcoming security update.
2. Any subscribers that paid the validation fee after Oct. 21st can get full refund by request.
3. StartCom will provide an interim solution soon and will replace all the issued certificates with issuance date on or after Oct 21st in case of requested. Meanwhile StartCom is updating all systems and will generate new root CAs as requested by Mozilla to regain the trust in these browsers.”

Anon Sunday, January 29, 2017 at 04:56 - Reply

“Those 3 browsers have essentially just bankrupted those 2 CA’s. Surely, if your certificates are not going to be accepted by 80% of the browsers, you’re out of business — right?”

Nope. Do you think they are the first CA to get removed? They’re not.

“This is pure fraud: they’re willingly selling certificates that are known to stop working in all major browsers.”

There are other uses for certificates than what you have listed and one can always add the root back in themselves so it is trusted. If someone wanted certificates to be used internally without running their own CA, this is easily doable.

There is no such thing as SSL or TLS certificates, they are one in the same. How about we use the real name for it; X.509! SSL and TLS are protocols.

“If StartCom hadn’t been bought by WoSign, they’d still be in business.”

Well, they are still in business. Just because they are not trusted doesn’t mean they will go out of business. They can make changes to their policies and get back in the good graces of the browsers. Google threatened Symantec a few years ago when they had some issues. Google gave Symantec a chance to fix their ways. I expect that StartCom will be back in as a trusted CA in the future. While they were removed, they just need to follow the rules and reapply to be a trusted.

“I’m looking forward to the days when we have an easy-to-use, secure, decentralized alternative to Certificate Authorities.”

Then how do you have a trust relationship when it is decentralized? Does everyone need to pick who they want to trust?

“Things like that piss me of, because only a handful of IT experts know that those Certificate Authorities are essentially worthless. But they’re still willing to accept money from unsuspecting individuals wishing to secure their sites.”

So people shouldn’t do their own research? A handful of IT experts? More than a handful know this and anyone that is an expert when it comes to X.509 knew this, if they didn’t, they are not an expert.

Paul Thursday, February 2, 2017 at 16:26 - Reply

Or, call it by what it exactly is; x.509 certificate.

idot Monday, April 10, 2017 at 06:47 - Reply

The author is a idiot.

Daniel Marschall Wednesday, May 3, 2017 at 19:58 - Reply

You blame them for selling their certs? What do you expect them to do? Giving up and getting bankrupt? Or ask youself: What would you do, if you were StartCom ? Wouldn’t you try to survive?

Ariq Naufal Saturday, January 27, 2018 at 05:35 - Reply

So, what’s browser did still accept wosign ssl? My campus’ webmail use wosign ssl, since it’s revoked i can’t access it on firefox, and chrome. :(

Leave a Reply

Your email address will not be published. Required fields are marked *

Inbound links

- Web Development Reading List #166: Efficient Docker, CSP Learnings, And JavaScript’s Global Object – Web Guy Help

- Web Development Reading List #166: Efficient Docker, CSP Learnings, And JavaScript’s Global Object – Smashing Magazine