This problem is mainly because major browser vendors have jointly decided to stop accepting certificates using the old SHA-1 signature algorithm since January 1, 2016. Mozilla accused wootong of still issuing a SHA-1 signature certificate this year, and filled the issuance date in August.
Although Mozilla also allows some other CAs to continue issuing SHA-1 certificates after January 1, January 1, 2016, such as Symantec, they only allow those CAs that have passed the complicated approval process to do so, obviously, wootong did not get consent.
Wotong secretly acquired StartCom
In addition, watone seems to be denying its acquisition of the Israeli CA company StartCom. Mozilla said that wootong had acquired StartCom in. On the other hand, according to Qihoo 360, it holds a total of 84% of wotong shares. However, such information was previously denied or denied comments.
In addition, according to the technical details disclosed by Mozilla, StartCom has begun to use the wootong infrastructure to issue new certificates. In addition, StartCom, like wotong, issued the SHA-1 certificate by means of a reversed date on July 15, 2016. Mozilla's security engineers also showed details about such violations.
According to a Mozilla survey, Tyro, a payment processing organization that has been working with GeoTrust CA for many years, suddenly deployed a SHA-1 signature certificate using StartCom in middle June, which had never worked with StartCom before. This certificate appears to have been issued on July 15, December 20, 2015, while a large number of SHA-1 certificates were issued on StartCom on the same date. Mozlla found that these certificates were deployed in mid-December 2016, which is not normal. This is obviously a policy to avoid SHA-1 suspension by filling in a reversed date.
These problems and other problems have caused Mozilla to decide not to trust the SSL certificates of wotong and StartCom for at least one year.
It may be permanently blockedMozilla said the temporary blocking only applies to the last issued certificates issued by the two companies and does not affect the certificates that have been distributed to their customers. If the two companies did not pass a series of checks after one year's ban, Mozilla will be prepared to block all certificates of the two companies.
"Many people are staring at the Web PKI security system. If such a fill (for whatever reason) is found, Mozilla will immediately and permanently revoke trust in the wocom and StartCom root certificates ." Said in the report.
In addition, the blocking of Chrome and other products is also under planning. "Other browser vendors and root certificate storage operators will make their own decisions. We put this information in this document so that they can understand why we made this decision, they can make their decisions accordingly." Mozilla said.
From: http://news.tuxi.com.cn/news/119999990123237/32372685.html
Address: http://www.linuxprobe.com/mozilla-startssl-year.html