Controversial Chinese certificate authority (CA) StartCom has decided to close, after several major browser makers lost confidence in the company.
Over the past year, Mozilla, Google, Microsoft and Apple have all begun the process of distrusting certificates from the firm and its parent company WoSign, removing their root certificates and refusing to accept newly issued certs.
The firm had this in a statement:
“Despite the efforts made during this time by StartCom, up to now, there has not been any clear indication from the browsers that StartCom would be able to regain the trust. Therefore, the owners of StartCom have decided to terminate StartCom as a Certification Authority (CA).
From January 1st, 2018, StartCom will not issue any new end entity certificate and will only provide validation services through its OCSP and CRL services for two years from January 1, 2018. Starting 2020, all remaining valid certificates will be revoked.”
The browser makers made their decision after uncovering poor standards of practice at WoSign and StartCom. Microsoft said that this included “back-dating SHA-1 certificates, mis-issuances of certificates, accidental certificate revocation, duplicate certificate serial numbers, and multiple CAB Forum Baseline Requirements (BR) violations”.
Kevin Bocek, chief cybersecurity strategist at Venafi, argued that the two firms have “made a mockery of the global system of trust” on which the internet is based.
"As with CNNIC before it, reliance on StartCom certificates left businesses and consumers vulnerable. This is a reminder for businesses as to why having automated systems to blacklist and eliminate untrusted CAs from their applications, networks, and clouds is so important,” he added.
“Moreover, speed and agility in protecting machine identities — being able to take control and immediately and automatically change out affected certificates — is needed now more than ever.”
The Chinese CAs aren’t the only ones affected by big decisions like these from the browser makers.
Google is in the process of removing trust from Symantec certificates, a decision which forced the security giant to sell its certificates business this year to DigiCert.