New on LowEndTalk? Please Register and read our Community Rules.
Mozilla Firefox to remove Wosign/StartSSL as a trusted Certificate Authority
The Mozilla Foundation is proposing (to some concrete degree) to begin distrusting Startcom and Wosign for their incredibly unethical business practices and continued failures to appropriately act in a transparent manner, in addition to numerous breaches of CA integrity.
I personally would recommend moving away from them in the future in case this actually goes through, and considering Wosign/Startcoms track record, it will eventually, if not soon.
https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ
Comments
The important bits:
In other words: this is probably the end of StartCom/WoSign.
Huh, surprised this isn't getting more attention considering that there's still a lot of folks using WoSign and StartSSL certificates for their websites.
It's too bad StartCom got bought by WoSign and ended up in this mess with them. I currently use WoSign (I think lowendtalk was the place I first heard of them), but I started with StartSSL/StartCom.
Presumably, my certificate will continue to work for now, since Mozilla is saying they'll continue trusting WoSign certificates created before a certain date. But I've wanted to move to Lets Encrypt ever since they went public, so this is the added push I needed to get the ball rolling.
P.S. I wrote a detailed account about one of their vulnerabilities that I found.
Great read, thanks for sharing.
You may want to consider the fact that a number of people have blacklisted wosign and startcom CA certs in their browsers manually since this came to light
I'd say that's more of a minority than the majority of Mozilla users, but seeing as they're blocking only new certificates, I feel a lot more at ease regarding these certificates.
In addition, the requirements for re-admittance to trusted CA root at Mozilla is pretty stringent for what it is, so it's probably still a wise idea to migrate away from WoSign/StartCom.
I've long since moved over to Let's Encrypt. Yea... The 90 day thing can be a pain. Until you get it automated anyways which is what I got going on. Script runs like once a week to check. That's usually plenty of time and gives it a couple of tries to get it in before expiring.
Apple says "fuck off" to WoSign too:
>
>
>
>
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/lWJ1zdUJPLI
They're not fucking around, damn.
Btw we can check if any particular WoSign cert is published there, via this Google's website. Also useful to verify there's no rogue certs for your domains issued by anyone. Just checked my WoSign ones, all are on the CT log, so I can just keep using them till expiration (almost 3 years remaining!)
I've been using startcom for several years now, have been using class two for just about 4 years. I really like the convenience of having wildcard certificates for my domain, but it looks like I'll be moving to Let's Encrypt soon. I refuse to spend $250+ for a wildcard for just one domain.
Dude, they're sold legitimately for as low as $25 at some places
Didn't really look that hard, looked at RapidSSL, Namecheap, and Comodo.
Cheapest I found was $49/year, still the $60 I spent at startcom got me 7 wildcard certificates each valid for 2 years.
I think it's a shame the whole free SSL certs no strings attached and the verified ones got so messed up, a lot of users like you went through the annoying verification process, including fees, and are now left empty handed... :-(
I was using the free domain verified certs, but I run a lot of self hosted apps under many host names and got tired of managing many certificates. It sucks that wosign had to mess everything up. Let's Encrypt seems like my last option though most of my stuff is behind proxies and getting Let's Encrypt to verify was getting difficult when I tried it a few months ago. Hopefully things have improved since then.