WoSign – one of the largest digital certificate provider in China, the owner of Israeli certificate authority (CA) StartCom – recently faced problems with Mozilla. It has all started after various security incidents, including issue of SSL/TLS certificates for primary GitHub domains to subdomain owner.
WoSign drew attention for the first time when Stephen Schrauger, a web developer for the University of Central Florida, managed to generate an SSL certificate for github.io by controlling just a subdomain schrauger.github.com. Schrauger passed validation for fun, and getting the certificate for the domain .io comments with lightness: "I did not add (certificate) www.github.com because I forgot."
Mozilla also accuses the company of buying StartCom, without telling anyone and without disclosing the change of ownership.
All this made Apple to kick WoSign CA Free SSL Certificate out of its trust program too.
Finally Mozilla decided new certificates from WoSign and StartCOM would no longer be trusted in their browser. However existing certificates will still be trusted. The CAs can reapply for browser inclusion in a year under certain conditions. This theoretically allows WoSign to create backdated certificates, however Mozilla announced that if they see any evidence of this they will immediately distrust all Wosign/StartCOM certificates.
One must admit - as Schrauger said - domain validation isn't as simple as one may think, and WoSign isn't the first to have a problem. Hopefully situations like this will not, however, occurred.
If you run a online business, you are sure to use Google AdWords. Perhaps this is one of the main traffic sources on your site, so the last message you want to see is "Your account has been suspended ...". And yet, you can expect it if your site is not SSL-secured.
Starting 1st of August 2016, Comodo and DomenySSL will no longer offer SGC variants of certificates. As your account has a valid SGC certificate which will be up for renewal in the future, the company has prepared a list of recommended alternatives.
Thawte is only one of the few vendors outside of the United States. As the main competitor of American vendors quickly gained a 40 % share of the market SSL certificates.