In the last few months, the SSL industry was rocked by news of Symantec selling its SSL business to DigiCert.

It was a shock because few would have imagined it could happen.

But just because we never imagined it possible, it doesn’t mean that the acquisition was improbable.

Last week, more news surfaced about the long battle that StartCom has been enduring to gain the trust of browsers.

StartCom SSL and WoSign

Few know this, but WoSign owns StartCom SSL. This, believe it or not, was one of the reasons why StartCom’s roots are also to be distrusted by Mozilla.

Here’s why:

According to Mozilla’s policy, the acquisition should have been disclosed but wasn’t, and representatives from WoSign and StartCom SSL denied the acquisition.

But that’s just one reason.

WoSign was also caught backdating certificates to circumvent the SHA-1 deadline – a serious infringement.

A hash algorithm, SHA-1 or Secure Hash Algorithm, was deemed weak over a decade ago, and as such, plans were made to penalise all SHA-1 certificates.

Why would WoSign do this?

We can’t say for certain, but we do know that they knew it was a bad idea. The end of SHA-1 roots was widely publicised and many certificate authorities did their part to migrate customers over to more secure SHA-2 certificates.

What’s Google doing about this?

Like Mozilla, Google has acted. In fact, Google was initially on to WoSign for another infringement.

In August of 2016, Google learned from GitHub’s security team that WoSign had issued an SSL certificate to the GitHub domain without their authorisation.

An investigation later found that the infringement was known by WoSign, but there had been more certificates issued.

StartCom to shut down operations

StartCom is closing their doors; however, Certificate Revocation Lists and Online Certificate Status Protocol services will work for the next two years, after which StartCom’s three roots will expire.

This will be in the year 2020.

“Distrusting roots?”

The act of distrusting a CA root takes place when a browser or group of browsers determine that a CA has committed a serious offence, one that makes them untrustworthy.

The browser(s) then systematically distrust the roots of the CA.

This means that when your browser goes through an update (which happens automatically when you start your browser) and you visit a website that has a certificate from a CA that is no longer trusted, you’ll receive an error message.

Distrusting a CA’s roots is basically a death sentence. Without trusted roots in browsers, CA’s are useless.

In Symantec’s case, the infringement was the mis-issuance of SSL certificates.

Browsers that have already distrusted WoSign and StartCom roots include Google Chrome, Mozilla Firefox, Apple Safari and Microsoft IE/Edge.

How many customers are affected?

Getting an accurate reading on how many SSL certificates a CA issues is a challenge. Most tools are only able to scan public-facing domains, leaving internal sites and certificates unaccounted for.

According to w3techs.com, StartCom has just 0.1% marketshare.

How TrustTheSite can help

If you’re a WoSign or StartCom customer looking for affordable certificates from trusted CAs, give us a call, connect via live chat or email us. We’d like to help you find the right SSL certificates for your business.

Statement on StartCom’s website:

16th Nov. 2017.

StartCom has played a critical role as a Certification Authority in data security and electronic commerce by providing an independent “trusted third party” guarantee all these years. 

Around a year ago the majority of the browser makers decided to distrust StartCom, remove the StartCom root certificates from their root stores and not accept newly end entity certificates issued by StartCom. 

Despite the efforts made during this time by StartCom, up to now, there has not been any clear indication from the browsers that StartCom would be able to regain the trust. Therefore, the owners of StartCom have decided to terminate StartCom as a Certification Authority (CA). 

From January 1st, 2018, StartCom will not issue any new end entity certificate and will only provide validation services through its OCSP and CRL services for two years from January 1st, 2018. Starting 2020, all remaining valid certificates will be revoked. 

StartCom wants to thank all of our customers and partners during these years for their support. 

Choose The Right SSL Certificate For Your Brand

TrustTheSite.com is a platinum reseller of VeriSign, Thawte, GeoTrust, Comodo, RapidSSL and Digicert SSL certificates. We offer the best pricing backed by personalised client support.

Call us on +27 23 004 0196 for a free no obligation discussion about your business needs and we’ll help you find the right certificate for your brand.

Share This