Mozilla has recommended that Firefox should block credentials issued by a China-based certificate authority for a year. This is after discovering that it doesn’t fully employ all security measures.
Mozilla Will Act Against WoSign
The WoSign authority intentionally back-dates its certificates over the past nine months. This is done to avoid an industry-mandated ban on the use of the SHA-1 algorithm. These signatures were outlawed in the beginning of the year due to cryptographic collision attacks that created counterfeit credentials.
The CA has bypassed the mechanism to satisfy its customers who have experience difficulties with retiring the SHA-1 function. Mozilla also accused WoSign of concealing its acquisition of SartCom, another certificate authority which was issued improper certificates.
The Mozilla team has stated that they will propose a date in the near future when Mozilla products will no longer trust the newly issued certificates by either of the two certificate authorities.
The first notable report of WoSign’s practice appeared after an IT administrator from the University of Central Florida used their service to obtain a certificate for a subdomain they owned. He soon discovered that he mistakenly received a certificate for the whole domain. To verify that the error was an incident, he used this tactic to replicate the results. The results showed the WoSign clearly did not follow the correct procedures.
Mozilla acts in defense of web sites as such certificates can be used by malicious users. Six years ago the DigiNotar certificate authority was used by hackers to create false certificates for Google and other 200 popular sites which were used in attacks against various targets. Google and Mozilla banned DigiNotar from the Chrome and Firefox browsers after they discovered the issues.
As such the WoSign warning is not a surprise, it simply a way to defend against possible intrusions and hacker attacks. A Google representative has also stated that the tech giant is also considering such actions if their investigation shows that malicious actions can be utilized with WoSign certificates.