[ALUG] WoSign and StartSSL issued certificates
Andreas Tauscher
ta at geuka.net
Thu Oct 6 17:20:41 EAT 2016
Hi all!
Apple revoked the trust for SSL certificates issued by the Chinese CA
WoSign and the Israel based CA StartSSL.
https://support.apple.com/en-us/HT202858
https://support.apple.com/en-us/HT204132
Mozilla has a list of issues in the verification and certificate issuing
process of WoSign
https://wiki.mozilla.org/CA:WoSign_Issues
As a result Mozilla will also revoke the trust in this certificates for
at least one year.
So if you have StartSSL or WoSign certificates better replace them ASAP.
The security auditor for WoSign and StartSSL was Ernst and Young from
Honkong. They did not recognise several problems during their audit so
on other CA's audited by Ernest and Young might now be checked more
detailed. Better check if the new CA is not audited by Ernest and Young.
I would have better things to do than replacing now this certificates I
have from them with Let's Encrypt certificates.....
It is another prove how broken and in no way trustworthy this entire CA
system is.
My dear browser, mail-client or whatever software using SSL certificates
developers:
I want full DANE support.
NOW!
Then I don't rely any more on this entire CA nonsense.
If I mess up my certificates: My problem.
September 2013 published:
http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf
Reading this document about the CA ecosystem is really no fun.
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.habari.co.tz/pipermail/linux/attachments/20161006/a0a2157e/attachment.pgp>
More information about the Linux
mailing list