Slashdot Mirror
Microsoft Dumps Notorious Chinese Secure Certificate Vendor (zdnet.com)
Soon, neither Internet Explorer nor Edge will recognize new security certificates from Chinese Certificate Authorities WoSign and its subsidiary StartCom. ZDNet reports: A CA is a trusted entity that issues X.509 digital certificates that verify a digital entity's identity on the internet. Certificates include its owner's public key and name, the certificate's expiration date, encryption method, and other information about the public key owner. Typically, these are used to secure websites with the https protocol, lock down internet communications with Secure Sockets Layer and Transport Layer Security (SSL/TLS), and secure virtual private networks (VPNs). A corrupted certificate is barely better than no protection at all. It can be used to easily hack websites and "private" internet communications.
Microsoft has joined [Mozilla, Google and Apple] in abandoning trust in their certificates. A Microsoft representative wrote: "Microsoft has concluded that the Chinese CAs WoSign and StartCom have failed to maintain the standards required by our Trusted Root Program. Observed unacceptable security practices include back-dating SHA-1 certificates, mis-issuances of certificates, accidental certificate revocation, duplicate certificate serial numbers, and multiple CAB Forum Baseline Requirements (BR) [issuance and management rules for public certificates] violations." Microsoft will start "the natural deprecation of WoSign and StartCom certificates by setting a 'NotBefore' date of 26 September 2017. This means all existing certificates will continue to function until they self-expire. Windows 10 will not trust any new certificates from these CAs after September 2017."
Microsoft has joined [Mozilla, Google and Apple] in abandoning trust in their certificates. A Microsoft representative wrote: "Microsoft has concluded that the Chinese CAs WoSign and StartCom have failed to maintain the standards required by our Trusted Root Program. Observed unacceptable security practices include back-dating SHA-1 certificates, mis-issuances of certificates, accidental certificate revocation, duplicate certificate serial numbers, and multiple CAB Forum Baseline Requirements (BR) [issuance and management rules for public certificates] violations." Microsoft will start "the natural deprecation of WoSign and StartCom certificates by setting a 'NotBefore' date of 26 September 2017. This means all existing certificates will continue to function until they self-expire. Windows 10 will not trust any new certificates from these CAs after September 2017."
No, Letsencrypt is just bad, in my opinion. Certs expiring after just a few months sucks. I know, I know, cert renewals are supposedly 'automated'. But that's only true when this automation doesn't break, and it broke for some reason when I tried it. I just bought a year-long cert instead from another vendor. It was well worth paying to not have to deal with Letsencrypt.
So what's to prevent them from back dating new certificates?
Removal of the CA's root certificate from the browser's (operating system's in the case of IE) list of trusted root authorities would do it, but it sounds like they are not doing that yet.
Sounds like Microsoft is playing nice and not yanking the root cert now, instead they are creating a soft landing where they will not honor new certs (with the assumption that new backdated certs won't be created.) In a year when all of the certs would have expired anyway, the root cert would be removed.
Personally I would have just yanked the root cert at the first sign of weirdness from the CA. After all we are only talking about the default list of trusted roots, users can add their own if they feel the need to trust something untrustworthy.