After it failed to win back the trust of the four major global web browsers, website security certificate issuer StartCom has announced that it will stop issuing fresh certificates from next year.
Major firms like Google, Apple, Microsoft and Mozilla banned security certificates issued by StartCom after they noted multiple guideline violations.
Website security certificates issued by StartCom and its parent company WoSign have been under the radar of several technology firms for some time. These firms have, over the past year, noted several guideline violations committed by the former.
Such violations included ‘back-dating SHA-1 certificates, mis-issuances of certificates, accidental certificate revocation, duplicate certificate serial numbers, and multiple CAB Forum Baseline Requirements (BR) violations’.
Back in August, Microsoft announced that it would allow existing security certificates issued by WoSign and StartCom to function until they self-expire. However, all security certificates issued by them after 26th September will not be accepted by Windows 10.
‘Microsoft values the global Certificate Authority community and only makes these decisions after careful consideration as to what is best for the security of our users,’ said the software giant.
Having failed to win back the trust of major technology firms, StartCom today announced that it will stop issuing fresh certificates from next year, with a view to terminate its operations in 2020.
‘Around a year ago the majority of the browser makers decided to distrust StartCom, remove the StartCom root certificates from their root stores, and not accept newly end entity certificates issued by StartCom.
‘Despite the efforts made during this time by StartCom, up to now, there has not been any clear indication from the browsers that StartCom would be able to regain the trust. Therefore, the owners of StartCom have decided to terminate StartCom as a Certification Authority,’ the Chinese firm said.
When Microsoft banned security certificates issued by WoSign and StartCom, Kevin Bocek, Chief Cyber-Security Strategist at Venafi, termed the decision a belated one considering that Google, Apple and Mozilla had banned the two CAs last year.
‘WoSign and StartCom, their secretly acquired subsidiary, have made a mockery of the global system of trust that runs e-commerce globally and allows us to safely run downloaded apps on our computers. It would appear impossible for both CAs to pass an auditor’s examination to operate as a trusted CA,’ he said.
Commenting on StartCom’s decision to stop issuing fresh certificates and to wind down its operations, Bocek told TEISS today that considering how businesses and consumers were rendered vulnerable due to their reliance on StartCom certificates, the firm’s decision is a welcome move.
‘This is a reminder for businesses as to why having automated systems to blacklist and eliminate untrusted CAs from their applications, networks, and clouds is so important. Moreover, speed and agility in protecting machine identities – being able to take control and immediately and automatically change out affected certificates – is needed now more than ever,’ he added.