Microsoft has banned security certificates issued by Chinese CAs WoSign and StartCom, citing several ‘unacceptable security practices’ followed by the latter.
Digital security certificates issued by WoSign and StartCom are also banned by Google, Apple and Mozilla thanks to multiple guideline violations.
In a blog post published on Tuesday, Microsoft announced that it would not accept any fresh security certificates issued by Chinese Certificate Authorities WoSign and StartCom. This was because the two certificate authorities (CAs) had failed to adhere to the standards required by Microsoft’s Trusted Root Program.
Non-compliant activities by the two Chinese CAs included ‘back-dating SHA-1 certificates, mis-issuances of certificates, accidental certificate revocation, duplicate certificate serial numbers, and multiple CAB Forum Baseline Requirements (BR) violations’.
Microsoft will allow existing security certificates issued by WoSign and StartCom to function until they self-expire. However, all security certificates issued by them after 26th September will not be accepted by Windows 10.
‘Microsoft values the global Certificate Authority community and only makes these decisions after careful consideration as to what is best for the security of our users,’ said the software giant.
The move is part of Microsoft’s intent to boot out websites and apps that carry poor security credentials. Security certificates issued by WoSign and StartCom mislead customers into believing that they are using apps with the latest security ratings, and are thus endangering the security of Microsoft’s customers.
Back in May, Microsoft announced that it would stop websites with poor security certificates from loading in Microsoft Edge and Internet Explorer 11 browsers. The company added that websites protected by SHA-1 security certificates would display invalid certificate warnings on the two browsers.
“The root cause of the problem is a known weakness of the SHA-1 hashing algorithm that exposes it to collision attacks. Such attacks could allow an attacker to generate additional certificates that have the same digital signature as an original,” said Microsoft in May.
At Microsoft, the Security Development Lifecycle has required Microsoft to no longer use the SHA-1 hashing algorithm as a default in Microsoft software,” the company added.
Even though Microsoft’s banning of security certificates issued by WoSign and StartCom is a welcome move, Kevin Bocek, Chief Cyber-Security Strategist at Venafi believes that the decision is a belated one considering that Google, Apple and Mozilla had banned the two CAs last year.
“WoSign and StartCom, their secretly acquired subsidiary, have made a mockery of the global system of trust that runs e-commerce globally and allows us to safely run downloaded apps on our computers. Microsoft are following in the footsteps of Mozilla, Google, and Apple in obliterating WoSign and StartCom as being trusted for users,” Bocek says.
“It would appear impossible for both CAs to pass an auditor’s examination to operate as a trusted CA. This is a reminder for businesses why having automated systems to blacklist and eliminate untrusted CAs from their applications, networks, and clouds is so important. No business should be stuck waiting for Microsoft, Google, and Apple to take action,” he adds.