StartCom explained

StartCom Ltd.
Type:Private company
Founder:Eddy Nigg[1]
Hq Location City:Beijing
Hq Location Country:China
Owner:Qihoo 360 Group
Parent:StartCom CA Ltd. (UK), StartCom CA Ltd. (HK)
Key People:Iñigo Barreira (CEO), Tan Xiaosheng (Chairman), Yang Qing
Industry:Internet security, Public key infrastructure
Area Served:Worldwide

StartCom was a certificate authority founded in Eilat, Israel, and later based in Beijing, China, that had three main activities: StartCom Enterprise Linux (Linux distribution), StartSSL (certificate authority) and MediaHost (web hosting). StartCom set up branch offices in China, Hong Kong, the United Kingdom and Spain.[2] Due to multiple faults on the company's end, all StartCom certificates were removed from Mozilla Firefox in October 2016[3] and Google Chrome in March 2017, including certificates previously issued, with similar removals from other browsers expected to follow.[4]

StartCom was acquired in secrecy[5] by WoSign Limited (Shenzhen, Guangdong, China), through multiple companies,[6] which was revealed by the Mozilla investigation[5] related to the root certificate removal of WoSign and StartCom in 2016. Due to the sanctions of both Mozilla and Apple,[7] [8] the company announced it would be restructured during 2016 by WoSign parent Qihoo 360 Group, detaching StartCom from the scandal-affected WoSign and making it a subsidiary of Qihoo.[9] [10]

Despite attempts to distance itself from the controversy, on November 16, 2017, StartCom announced termination of business, and on January 1, 2018, stopped serving new certificates, effectively closing the company.[11] [12] The StartSSL, StartCom, and StartCom CA websites now redirect to WoSign's shop page.

StartSSL

StartCom offered the free Class 1 X.509 SSL certificate "StartSSL Free", which works for webservers (SSL/TLS) as well as for E-mail encryption (S/MIME).It also offered Class 2 and 3 certificates as well as Extended Validation Certificates, where a comprehensive validation (with costs) was mandatory.

While certificates were free and unlimited for certain uses, there were limitations imposed unless an upgrade is purchased:

In June 2011, the company suffered a network breach which resulted in StartCom suspending issuance of digital certificates and related services for several weeks.[13] The attacker was unable to use this to issue certificates (and StartCom was the only breached provider, of six, where the attacker was blocked from doing so).[14]

Trustworthiness

The StartSSL certificate was included by default in Mozilla Firefox 2.x and higher, in Apple Mac OS X since version 10.5 (Leopard), all Microsoft operating systems since 24 September 2009,[15] [16] and Opera since 27 July 2010.[17] Since Google Chrome, Apple Safari and Internet Explorer use the certificate store of the operating system, all major browsers previously included support for StartSSL certificates.

On 30 September 2016, during the investigation on WoSign, Apple announced that their software will not accept certificates issued by one of the WoSign certificates after 19 September 2016, and said they will take further action on WoSign/StartCom trust anchors as the investigation progresses.[8]

On 24 October 2016, Mozilla announced on its security blog that, following its discovery of the purchase of StartCom by another Certificate Authority called WoSign during its investigation on numerous issues with that CA, and that both have failed to disclose this transaction,[18] Mozilla will stop trusting certificates that are issued after 21 October 2016 starting with Firefox 51.[19] On 1 November 2016, Google announced that it too would stop trusting certificates issued after 21 October 2016 starting with Chrome 56. Certificates issued before this date may continue to be trusted, for a time, but in subsequent Chrome releases, these exceptions will be reduced and ultimately removed.[20] On 30 November 2016, Apple products will block certificates from WoSign and StartCom root CAs if the "Not Before" date is on or after 1 Dec 2016 00:00:00 GMT/UTC.[21]

As of Version 57, Google Chrome will only trust WoSign/StartCom certificates that were issued to sites in the Alexa Top 1M list, and Chrome 58 will only trust those in the Alexa Top 500k.[22]

On 8 August 2017, Microsoft announced on its Windows Security blog that Windows 10 will not trust any new certificates from WoSign and StartCom after September 2017.[23]

Despite changes to the company's structure, StartCom did not see "any clear indication from the browsers that StartCom would be able to regain the trust" by the browser companies. Therefore, StartCom has halted the issuing of all certificates since January 1, 2018 and will terminate business completely by 2020 by revoking all issued certificates.[24]

Response to Heartbleed

On 13 April 2014, StartCom announced[25] a FAQ page[26] related to Heartbleed, a critical bug in OpenSSL estimated to have left 17% of the Internet's secure web servers vulnerable to data theft.

StartCom's policy was to charge $25 for each revoked certificate, and it refused to waive this fee in the case of certificates compromised due to Heartbleed, though some paying customers were granted a single free revocation.[27] [28] [29] This caused many to doubt StartCom's status as a certificate authority.[30] When provided with proof of a compromised certificate, StartCom refused to revoke the certificate for free, providing trust even after StartCom had learned that the certificate had been compromised.[31]

Controversies

In August 2016 it was reported that StartCom was sold to WoSign, a Chinese CA.[18] [32] [33] The original disclosure was taken down for legal reasons.[34] However, repostings of the original articles are still available. The relationship is unclear, but it seems as if the StartCom technical infrastructure was being used by WoSign when they were caught issuing about a hundred[35] improperly validated SSL certificates, including a certificate for github.com.[18] [36]

An investigation by Google and Mozilla found that WoSign knowingly and intentionally mis-issued certificates in order to circumvent browser restrictions and CA requirements. As a result, Google joined Mozilla and Apple and planned to distrust all WoSign and StartCom certificates beginning in 2017.[37] On July 17, 2017, an announcement was made about the restructuring of the company. It was announced that StartCom is now 100% managed by Qihoo 360, no StartCom employees are working on WoSign premises, audits have been made by external pen testers, and a new CMS system was developed.[38]

See also

External links

Notes and References

  1. Web site: Heads roll as Qihoo 360 moves to end WoSign, StartCom certificate row. The Register. 10 Oct 2016. 2016-12-10. Richard. Chirgwin.
  2. Web site: About StartCom . . Apr 26, 2016 . June 7, 2016 . dead . https://web.archive.org/web/20160625001732/https://www.startssl.com/AboutUS . June 25, 2016 .
  3. Web site: Distrusting New WoSign and StartCom Certificates.
  4. News: Why Take Control Was Briefly Labeled "Not Secure". Take Control. Adam C. Engst.
  5. Web site: WoSign and StartCom . Mozilla . 2016-10-10 . 2016-10-25 .
  6. Structure as of October 2016: WoSign CA Limited Hong-Kong → StartCom CA Limited (HK) → StartCom CA Limited (UK)
  7. Web site: Blocking Trust for WoSign CA Free SSL Certificate G2 (IOS) . apple . 2016-09-30 .
  8. Web site: Blocking Trust for WoSign CA Free SSL Certificate G2 (MacOS). apple . 2016-09-30 .
  9. Planned restructure as of October 2016, to be implemented throughout the end of 2016: through the company chain Qihoo 360 → Qifei Int'l Development Ltd. (HK) → StartCom CA Ltd. (HK), which owns 100% of StartCom (CH) and StartCom CA Ltd. (UK), which in turn owns StartCom Ltd. (Israel) and StartCom CA Ltd. (Spain)
  10. Web site: StartCom Remediation Plan . Qihoo 360 Group . 2016-10-14 . 2016-10-25 . dead . https://web.archive.org/web/20161026080249/https://www.startssl.com/report/StartCom_Remediation_Plan_14102016.pdf . 2016-10-26 .
  11. Web site: StartSSL™ Certificates & Public Key Infrastructure. www.startcomca.com. en. 2017-11-17. 2017-12-01. https://web.archive.org/web/20171201171612/https://www.startcomca.com/index/News/newDetail?date=20171116. dead.
  12. Termination of the certificates business of Startcom . mozilla.dev.security.policy . 谭晓生 . 17 November 2017.
  13. Web site: Web authentication authority suffers security breach . The Register. June 26, 2011. January 14, 2012 .
  14. Web site: How StartCom Foiled Comodohacker: 4 Lessons . . September 8, 2011 . December 20, 2012 . dead . https://web.archive.org/web/20130103030451/http://www.informationweek.com/security/attacks/how-startcom-foiled-comodohacker-4-lesso/231601037 . January 3, 2013 .
  15. Web site: Microsoft Adds Support for StartCom Certificates . September 24, 2009 . Press release . StartCom.org . 2011-01-14 . dead . https://web.archive.org/web/20110717142400/http://www.startcom.org/?app=14&rel=33 . July 17, 2011 .
  16. Web site: Microsoft updates trusted root certs to include StartCom . Sophos.com Naked Security blog . September 27, 2009.
  17. Web site: New Roots, new EV, and a new Public Suffix file . Opera.com Rootstore blog.
  18. Web site: CA:WoSign Issues - MozillaWiki . 2016-10-25.
  19. Web site: Distrusting New WoSign and StartCom Certificates . October 24, 2016 . 2016-10-25.
  20. News: Distrusting WoSign and StartCom Certificates. Google Online Security Blog. en-US. 2016-11-02.
  21. News: Lists of available trusted root certificates in iOS. Apple Support Web Site. 2016-12-01.
  22. Web site: 685826 - Restrict the set of domains for WoSign/StartCom certificates - chromium - Monorail . bugs.chromium.org . en . 2017-04-28.
  23. News: Microsoft to remove WoSign and StartCom certificates in Windows 10. Windows Security. 2017-08-11. en-US.
  24. Web site: Termination of StartCom business. www.startcomca.com. en. 2017-12-03. 2017-12-01. https://web.archive.org/web/20171201171612/https://www.startcomca.com/index/News/newDetail?date=20171116. dead.
  25. Web site: Twitter / startssl: We released a small FAQ page .... StartCom. 13 April 2014.
  26. Web site: Heartbleed F.A.Q.. StartCom. 13 April 2014.
  27. Web site: I use StartCom, and I revoked and re-keyed yesterday. In the revocation reason, ... Hacker News. Geoff. 9 April 2014.
  28. Web site: Twitter / codeawe: @tonylampada @startssl .... J. Breitsprecher. 11 April 2014.
  29. Web site: Re: OpenSSL CVE-2014-0160 (aka "Heartbleed") . Jan . 9 April 2014 . dead . https://web.archive.org/web/20140413125847/https://forum.startcom.org/viewtopic.php?p=8097 . 13 April 2014 .
  30. Web site: Most StartSSL certs will stay compromised. 9 April 2014.
  31. Web site: StartSSL, please revoke me! . 12 April 2014 . unfit . https://web.archive.org/web/20140412085458/https://revokame.tonylampada.com.br/ . April 12, 2014 .
  32. Web site: Thoughts and Observations: WoSign's secret purchase of StartCom; WoSign threatened legal actions over the disclosure. www.percya.com. 2016-09-08. https://web.archive.org/web/20160905173058/http://www.percya.com/2016/09/wosigns-secret-purchase-of-startcom.html. 2016-09-05. dead.
  33. Web site: Thoughts and Observations: StartCom operated solely by WoSign in China - an analysis of the new StartCom website. www.percya.com. 2016-09-08. https://web.archive.org/web/20160907132911/http://www.percya.com/2016/09/startcom-operated-solely-in-china.html. 2016-09-07. dead.
  34. https://letsphish.org?part=about https://letsphish.org
  35. Web site: Incidents involving the CA WoSign .
  36. Web site: The story of how WoSign gave me an SSL certificate for GitHub.com .
  37. News: Google to Distrust WoSign/StartCom Certificates . Tara . Seals . InfoSecurity Magazine . November 2, 2016 . July 7, 2017.
  38. Web site: 1311832 - StartCom: Action Items. bugzilla.mozilla.org. en. 2017-08-01.