Mozilla has accused a Chinese Certificate Authority of back-dating SHA-1 certificates to get around restrictions barring deprecated certs from being trusted, and is ready to ban the CA for one year.
The back-dating is just one of many violations derived after a lengthy investigation of WoSign and one of its subsidiaries, StartCom. In addition to consistently back-dating SHA-1 certs, WoSign is accused of mis-issuing certificates for GitHub to a customer, allowing arbitrary domain names to be included in certs without validating them, failing to report its acquisition of StartCom as CAs are required to do. A report published Monday by Mozilla lists numerous other infractions that go against requirements put forth by the CA/Browser Forum’s published baseline requirements.
“Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA,” Mozilla said in its report. “Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands.”
Mozilla said it will only distrust newly issued certs to avoid adversely impacting users; both WoSign and StartCom have issued a large number of certificates, Mozilla said. Mozilla has started a public comment period on its proposal, including WoSign customers.
“Mozilla believes that continued public trust in the correct working of the CA certificate system is vital to the health of the Internet, and we will not hesitate to take steps such as those outlined above to maintain that public trust,” Mozilla said. “We believe that the behavior documented here would be unacceptable in any CA, whatever their nationality, business model or position in the market.”
The back-dating of SHA-1 certs was the crux of the Mozilla report published this week. SHA-1 has long been considered a weak hashing algorithm and the major browser makers and leading technology providers have already taken great pains to deprecate it across product lines. Browsers, for example, will no longer accept SHA-1 certs in the near future; Microsoft’s Edge and Internet Explorer browsers will block them starting in February.
Mozilla’s Firefox and Google Chrome enforce SHA-1 deprecation and will not trust certificates with a notBefore date of Jan. 1, 2016. Mozilla points out that CAs could bypass this restriction by back-dating certificates, which it says WoSign did 62 times for certs issued in 2016 that were back-dated to December 2015.
Mozilla spelled out in its investigation how it spotted an anomalous number of SHA-1 certs issued by WoSign on Dec. 20, 2015, a Sunday. This runs counter to the vast majority of other SHA-1 certs issued by the company on working days during normal work hours.
“We think it is highly unlikely that WoSign employees decided to go to work on that particular Sunday for a marathon 24-hour period and approve an unprecedented number of Type Y certificate requests,” Mozilla said. “We think it is more plausible that for those certificates, the notBefore date does not reflect the actual date of certificate creation, and that these certificates were created in 2016 (or the last day of 2015) and back-dated.”