On September 30th, Friday, Apple made an announcement they are about to untrust digital certificates issued by the Chinese Certificate Authority (CA) WoSign. Their decision is based on a report, which Mozilla published on September 26th.
In the report were listed a couple of incidents regarding WoSign, China’s biggest CA, and the Israeli CA they bought last year – StartCom.
Mozilla experts have found that, in an attempt to avoid a ban on SHA-1 certificates that became active on January 1th, 2016, WoSign had back-dated SHA-1-signed certificates to December, 2015. Moreover, according to Mozilla, WoSign also included arbitrary domain names in certificates with no proper verification. Last but not least, Mozilla discovered that WoSign had covered the acquisition of the StartCom company, which is using its infrastructure and had also back-dated its certificates.
After the report was published, Mozilla proclaimed that they are considering punishing WoSign and StartCom by issuing a one-year ban on their certificates. However, if the punishments is approved, it wouldn’t apply to the old certificates that are already in use but only to new ones, issued by WoSign and StartCom. A ban like this, even only for a year, would mean a death sentence for a CA, if adopted by other browser makers.
And while Mozilla is still pondering its punishment, Apple, who is also part of the CA/Browser Forum, didn’t waste any time and banned intermediary WoSign certificates. They posted on their website that they are banning all WoSign certificates issued after September 19th as the ban affects certificates in both OS X and iOS.
Even though Apple didn’t trust WoSign root certificates to begin with, WoSign used intermediary ones, issued by StartCom and Comodo, to earn Apple`s trust. These intermediary certificates are the ones being banned right now.
Furthermore, Apple didn’t say anything about banning StartCom certificates, which are still supported, at least for now. The company also didn’t mention if the ban is permanent or it can be removed in the feature. However, they did clarify that it will become active with the next Apple security update, which is scheduled for the middle of October.
The company also added that as the Mozilla investigation continues, there is a chance the ban to be expanded to other Apple products as well.
This week, Mozilla will have a meeting with the WoSign and StartCom representatives, after which they will take a final decision on the one-year ban punishment.
Meanwhile, WoSign finally admitted publicly the acquisition of StartCom and is doing everything it can to avoid Mozilla`s sentence. If they fail and end up banned, the company`s existence will be put on the line as other browser makers like Google or Microsoft could follow Mozilla`s steps.