Microsoft is following the lead of Google, albeit quite slowly, and removing trust for certificates issued by Chinese CAs WoSign and StartCom in its products.
The decision is a result of the companies issuing some certificates in 2015 and 2016 that violated rules established by the CA/Browser forum. Specifically, researchers discovered that the CAs had issued some certificates that were backdated, apparently to get around rules about no longer issuing certificates that use the deprecated SHA-1 algorithm. Many of the major browser vendors, including Mozilla, and Apple, already have removed trust from their browsers for WoSign and StartCom certificates, and Google plans to do so next month.
Now, Microsoft has announced plans to follow suit, beginning a long, gradual process of removing trust for those CAs in September.
“Microsoft has concluded that the Chinese Certificate Authorities (CAs) WoSign and StartCom have failed to maintain the standards required by our Trusted Root Program. Observed unacceptable security practices include back-dating SHA-1 certificates, mis-issuances of certificates, accidental certificate revocation, duplicate certificate serial numbers, and multiple CAB Forum Baseline Requirements (BR) violations,” Microsoft officials said in a post Tuesday.
“Thus, Microsoft will begin the natural deprecation of WoSign and StartCom certificates by setting a ‘NotBefore’ date of 26 September 2017. This means all existing certificates will continue to function until they self-expire. Windows 10 will not trust any new certificates from these CAs after September 2017.”
For users, this move won’t have any real immediate effect. But over time, any certificates issued by WoSign or StartCom will no longer be accepted as valid by Microsoft’s browsers and other products. It’s relatively rare for browser manufacturers to take this action, but not unprecedented. In 2011, Mozilla, Google, and the other browser makers took the same action against DigiNotar, a Dutch CA that had been compromised by an attacker. The attacker was able to issue some valid certificates for high-value sites and use them in further attacks.