Announcement about Mozilla Action
2016-10-24 ( 2016-12-01 update )Mozilla on August 24 launched an investigation for WoSign CA, and released a list of issues (Wiki), listed from March 2015 to July 2016 all the issues during the period. WoSign also made a careful investigation of these issues and issued a report on these issues, some problems have been clarified, and all problems are found in the first time and fixed. WoSign actively cooperate with the investigation and communication to guarantee the issued SSL certificate will not be affected in any way.
Mozilla has been released the action on October 21, now this is the WoSign official announcement about the incident and its effects on users and responding actions made herein.
1. The results of the incident
(1) Mozilla is going to distrust 4 included WoSign Root Certificates from Oct. 22nd, 2016.
(2) After June.1st, 2017, WoSign can apply for inclusion of new root certificate following Mozilla's normal root inclusion/change process after WoSign have completed all of the required action items.
2. Effects on the users
(1) SSL certificates issued on Oct. 21st and before Oct.21st will not been affected, and they will still be trusted by Mozilla Firefox; after Oct. 21st, SSL certificates issued from the 4 WoSign roots will be distrusted by Firefox.
(2) There will not be any effect on WoSign Code Signing Certificate, Client Certificates or WoSign Signing service - WoSignDoc.
Update (Nov. 1st):
(1) Google have published a blog post outlining the steps that beginning with Chrome 56, certificates issued by WoSign after October 21, 2016 00:00:00 UTC will not be trusted. Certificates issued before this date may continue to be trusted, for a time, if they comply with the Certificate Transparency in Chrome policy or are issued to a limited set of domains known to be customers of WoSign.
(2) Apple have published an announcement that Apple products will no longer trust the WoSign CA Free SSL Certificate G2 intermediate CA after 2016-09-19. Apple products will trust individual existing certificates issued from this intermediate CA and published to public Certificate Transparency log servers by 2016-09-19. They will continue to be trusted until they expire, are revoked, or are untrusted at Apple’s discretion.
Update (Dec. 1st):
Apple products will block certificates from WoSign root CAs if the "Not Before" date is on or after 1 Dec 2016 00:00:00 GMT/UTC.
3. The solution to the Results
(1) The WoSign Digital Certificate Store (buy.wosign.com) will be updated. From Oct. 22nd, 2016, there will be a 90% OFF discount on all charged SSL certificates issued from the 4 affected roots. The free SSL certificate issuance is stopped since Sept. 29, 2016.
(2) There will be new SSL certificates issued by a new WoSign name intermediate CA which is signed and hosted by the one of global trusted root CA, it supports all the browsers (including Firefox). This will be done within one months.
(3) WoSign will be working actively to meet the Mozilla 6 requirements in order to accomplish the new root inclusion after June 1st, 2017.
(4) WoSign will continue to carry out a thorough investigation and internal audit on all the systems to upgrade and improve them, and meanwhile, complete the internal control system and build an international standards research team and an internal audit team to ensure all of the systems meet all international standards and all the operations conforming to the international standards. Moreover, all related employees are required to work strictly under the standards and will be punished for the disobeying of those management policy.
Although Mozilla’s sanctions are too severe, but WoSign accept it. WoSign decide to make improvement, continuously increase liability, security and compliance of our systems and follow strictly all the international standards and security management policies of every browser vendor.
Finally, deep gratitude should be expressed to our subscribers and partners. It was your supports and accompanying that helped WoSign get though the 10 years of rains and winds and finally get the almost 50% of China SSL market share and become the No. 6 largest CA in the world. We sincerely hope that we can head forward together to the next brilliant 10 years, thanks.