Microsoft Removes Trust from Chinese CAs

Microsoft Removes Trust from Chinese CAs

Microsoft has decided to remove trust from two Chinese certificate authorities (CAs) after uncovering a litany of poor security practice.

Redmond revealed in a blog post that it would begin deprecating certificates issued by WoSign and StartCom by setting a “not before” date of September 26 2017.

This means all existing certs will continue to function until they self-expire, and Windows 10 won’t trust any new certificates from the two after September.

A brief statement revealed the reasoning behind the decision:

“Microsoft has concluded that the Chinese Certificate Authorities (CAs) WoSign and StartCom have failed to maintain the standards required by our Trusted Root Program. Observed unacceptable security practices include back-dating SHA-1 certificates, mis-issuances of certificates, accidental certificate revocation, duplicate certificate serial numbers, and multiple CAB Forum Baseline Requirements (BR) violations.”

Microsoft’s decision follows the same move by Apple, Google and Mozilla, who binned the certs in 2016.

The news was welcomed by industry experts, including Kevin Bocek, chief cybersecuirity strategist at Venafi.

He claimed that StartCom is merely a “secretly acquired subsidiary” of WoSign and both have “made a mockery of the global system of trust” underpinned by digital certificates.

“It would appear impossible for both CAs to pass an auditor's examination to operate as a trusted CA,” Bocek added. “This is a reminder for businesses why having automated systems to blacklist and eliminate untrusted CAs from their applications, networks, and clouds is so important. No business should be stuck waiting for Microsoft, Google, and Apple to take action."

The news follows Symantec’s decision to sell its certificates business for $950m, to Utah-based DigiCert.

Although the official reason for the sale is to help the security giant sharpen its enterprise focus, in truth the business had been struggling after a series of incidents which led to the sacking of several employees and a long-running bust-up with Google.

Source: Information Security Magazine