Microsoft has announced that after careful consideration, it has decided to join Mozilla, Google, and Apple in deprecating security certificates issued by Chinese Certificate Authority (CA) WoSign and its subsidiary StartCom. Windows 10 will not recognize new certificates from either company as valid after September 2017. Microsoft did not mention if its older operating systems such as Windows 7, which is still very popular, will do the same.
Microsoft said in a statement on its blog:
“Microsoft will begin the natural deprecation of WoSign and StartCom certificates by setting a 'NotBefore' date of 26 September 2017. This means all existing certificates will continue to function until they self-expire. Windows 10 will not trust any new certificates from these CAs after September 2017. Microsoft values the global Certificate Authority community and only makes these decisions after careful consideration as to what is best for the security of our users.”
The decision came after the two Chinese CAs have for years failed to maintain security standards required by Microsoft’s Trusted Root Program. The company further said that:
“Microsoft has concluded that the Chinese Certificate Authorities (CAs) WoSign and StartCom have failed to maintain the standards required by our Trusted Root Program. Observed unacceptable security practices include back-dating SHA-1 certificates, mis-issuances of certificates, accidental certificate revocation, duplicate certificate serial numbers, and multiple CAB Forum Baseline Requirements (BR) violations.”
In October 2016, WoSign promised (PDF) to clean up its act after Mozilla notified the company about three incidents involving its certificates, but that has not yet happened.
After Microsoft's move to block the two CAs, most major browsers will now cease to recognise their certificates as valid. Opera is likely the only mainstream web browser that continues to trust WoSign certificates and will probably keep doing so, as the company was bought by a Chinese consortium last year.