Certificate Authority (CA) StartCom announced last week, on Friday, its intention to cease operations by 2018, and completely shut down its certificate infrastructure by 2020.
The decision came after all major browser vendors banned StartCom and WoSign SSL certificates in their products.
Both StartCom and WoSign were caught issuing and backdating SHA1-signed SSL certificates after browser vendors banned the signing of SSL certificates with the old SHA1 algorithm after January 1, 2016.
In addition, both companies failed to inform browser vendors that Chinese-based WoSign bought EU-based StartCom in the autumn of 2015. Both companies are now owned by Chinese cyber-security giant Qihoo 360.
All these issues came to light in September 2016 after a Mozilla investigation. While the two companies promised to revamp operations, their pleas landed on deaf years and one after the other, browser vendors banned both CAs.
Apple banned WoSign and StartCom certs almost immediately in October 2016, Google banned the two in Chrome 56 (January 2017), Microsoft said it would stop supporting certificates from both companies in September 2017, and Mozilla will ban both CAs in Firefox 58 (January 2018).
Both companies tried to earn the trust of browser vendors back, with changes to their leadership and SSL-issuance infrastructure, but it was too late.
Seeing the writing on the wall, the StartCom board decided to end all operations. Below is a snippet of the official announcement, shared with the browser community last Friday by Xiaosheng Tan, Qihoo's CSO.
Due to some comments and decisions made by the Mozilla community, which are followed by some other browsers, StartCom’s board made a difficult but final decision after careful n. We will initiate the termination procedure of the StartCom business. The liquidation procedure will begin and follow our CPS and internal procedures. We´ll set January 1st 2018 as the termination date and will stop issuing certificates therefrom. We will maintain our CRL [Certificate Revocation List] and OCSP [Online Certificate Status Protocol] service for two more years from January 1st 2018. The three pairs of StartCom key Roots will be eliminated after that time.
This is not the first Certificate Authority that dies out after a browser ban. The first to suffer this fate was Dutch-based CA DigiNotar after hackers breached its network and issued SSL certificates in Google's name. The company decided to shut down operations after a Google ban in 2011.
Similarly, earlier in the year, Google banned Symantec certificates. While the company did not shut down, it decided to sell its certificate business to DigiCert for $950 million in cash and 30% shares, leaving DigiCert to take over its clientele and repair its SSL-issuance infrastructure.
WoSign said it would try to have browser vendors lift the ban on its certificates. To earn their trust, the Chinese SSL provider recently underwent a security audit. A private auditor found 22 flaws, but nothing major. Browser vendors are still debating if to lift the WoSign ban.