Microsoft has joined Apple, Google, and Mozilla in disabling security
certificates from Chinese company WoSign and its StartCom subsidiary.
WoSign and StartCom lost their reputation for reliability over a year ago. According to SSL Labs, by October 2016, “browser vendors have lost trust in WoSign’s ‘technical and management capabilities.’ In addition, WoSign has been accused of dishonesty and continued and persistent deception.” Unfortunately, both CAs had large installed user bases, largely because both had offered free certificates.
Mozilla was the first web browser company to announce that it would “no longer trust newly-issued certificates issued by either of these two CA brands.” Google followed Mozilla in no longer trusting the CA vendors’ certificates in July 2017. Chrome security engineer Devon O’Brien said Google was doing this because of “several incidents” involving the certificate authority which have “not [been] in keeping with the high standards expected of CAs.” Apple has also dropped support for WoSign certificates.
Now, Microsoft has joined them in abandoning trust in their certificates. A Microsoft representative wrote: “Microsoft has concluded that the Chinese CAs WoSign and StartCom have failed to maintain the standards required by our Trusted Root Program.
