Will Pale Moon distrust WoSign certs?

[Walter Dnes]

From http://www.zdnet.com/article/google-gui ... -startcom/

Google has warned that all certificates issued by Chinese company WoSign and subsidiary StartCom will be distrusted with the release of Chrome 61.

According to a Google Groups post published by Chrome security engineer Devon O'Brien, due to "several incidents" involving the certificate authority which have "not [been] in keeping with the high standards expected of CAs," Google Chrome has already begun phasing out WoSign and StartCom by only trusting certificates issued prior to October 21, 2016.

[Fedor2]

Why we should follow google at all? I rather distrust them.
And i'm interesting what will be affected if you block thats certs? Anyway you can do this yourself in Pale moon in the certificate settings.

[adesh]

Looks like WoSign certainly has issues. Mozilla too is not happy about this.
https://blog.mozilla.org/security/2016/ ... tificates/

[Moonchild]

I'm not getting involved in these politics. Their (Mozilla's) own little baby (Let's Encrypt) is much worse in terms of CA practices, so they should look in their own back yard first.

Also, one reason this is clearly a political move is how the only free SSL issuer of a similar accessibility to Let's Encrypt (Startcom) has been taken as collateral, despite them being immediately separated and doing everything they can to follow CA rules and regulations. StartCOM IMO has done nothing wrong. I happen to be involved there because it has been our code signing and SSL provider for years.

[user108]

Google is following suit. http://thehackernews.com/2017/07/chrome-certificate-authority.html

If anyone is concerned you can manually remove WoSign & Startcom via the Certificate Manager (Preferences > Advanced > Certificates > View Certificates > Authorities)

[dark_moon]

I follow Moonchilds way. All CA have in the past problems, but only WoSign or Symantec.
You get a lot of problems if you disallow them.

As Moonchild say, the only CA we should stop using is LetsEncrypt. Now they add wildcard domains...what a security mess

[Moonchild]

A recent issue supported by let's Encrypt's crap CA practices: I bought something for a specialized t-shirt shop in the past. Recently, a different company copied their website under a very similar sounding name, after having bought or scraped past customer e-mail addresses (most likely it's been (through) their Chinese distributor that they were having issues with getting shirts actually delivered that were ordered), copied their products into it, and then sent out mass e-mail to past customers pretending to be the original company. Their website was, you guessed it, SSL-enabled with Let's Encrypt. With how LE won't revoke any certificates, it means that the cert will be valid and active for the full 3 months and there's nothing the original company can do about it except sending e-mail out to their past customers warning about the fraud, which they have. in 3 months, the shell company will have had a bunch of orders that were paid without fulfilling them, and probably will have people lose their money to it.

[testator777]

StartCOM IMO has done nothing wrong. I happen to be involved there because it has been our code signing and SSL provider for years.

Off-topic:
Interesting because I thought you used COMODO CA. Or atleast my connection to forums.palemoon.org and palemoon.org does.
SHA1 COMODO certificate for forums.palemoon.org
64:AB:72:A7:10:7B:B7:81:93:84:1D:7E:4B:86:F7:1D:66:DC:A6:D4

[Moonchild]

I've switched our https server certificates to Comodo for the time being, because otherwise people using the affected browsers with distrusted certificates won't be able to visit the forum or website. Yes, it was an extra expense to get the certificate.