[olug] HeadsUP - StartSSL.com root certificate change in Firefox

[Rob Townley]

Much worse.  WOSign, a Chinese CA purchased StartCom without disclosure.
StartCOM StartSSL.com will  be _permanently_ removed from Google
Chrome in January.
Unlike Mozilla, Google will not be as forgiving and will not allow them back.

The major players will no longer trust auditing by Ernst & Young Hong Kong.

Distrusting WoSign and StartCom Certificates     October 31, 2016
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html

Too bad, spoke with Eddy Nigg directly and his other employees.  Was
rooting for them and and what i assume was their small business.  They
were by far, the least expensive wild card and mutlti domain name
certificates available.  Sounds as if he may never be in the CA
business again.  Which would be a waste of his experience.  He raised
problems with the current CA system many times that were in fact
exploited later.

Would rather send an encrypted SSL Certificate Signing Request to
clipperz or some other digital notary on the BlockChain.

(Qihoo 360 was the largest shareholder in WOSign so would not be
surprised if they start another SSL CA.)

On Wed, Oct 26, 2016 at 10:20 PM, Rob Townley <rob.townley at gmail.com> wrote:
>
> Not sure if there will be a time period or not where firefox will simply not trust StartSSL at all until the next Firefox version
> .  That is one problem.  A bigger problem for most of us is if your website uses StartSSL.com certificates, you would have to renew them based on the new StartCOM root CA.  StartCOM is forced to generated new ROOT certificate authorities, not just intermediate CAs.  The notice does not seem to appear until after one authenticates with their certificate.  Since certificate authentication is often a challenge, i am posting the notice here in verbatim.
>
>
>> Welcome!
>>
>> Mozilla decided to distrust all StartCom root certificates as of 21st of October, this situation will have an impact in the upcoming release of Firefox in January. StartCom will provide an interim solution soon and will replace all the issued certificates from that date in case of requested. Meanwhile StartCom is updating all their systems and will generate new root CAs as requested by Mozilla.