← Start Commercial (StartCom) Ltd. cases
Bugzilla #1283498
Certificate Misissuance
StartCom StartEncrypt vulnerability allowed issuance of fraudulent google.com, dropbox.com, etc certificates
RESOLVED
Start Commercial (StartCom) Ltd.
AI Summary
A vulnerability in StartCom's StartEncrypt service allowed the fraudulent issuance of certificates for major domains, including google.com and dropbox.com. This incident raised significant concerns about the security practices of StartCom. Following the discovery, StartCom took steps to close the service and announced the fix on their website. Mozilla has since taken action against StartCom in light of this issue.
Chronology
- Vulnerability reported allowing fraudulent certificate issuance.
- StartCom closed the StartEncrypt service.
- Mozilla took action against StartCom.
Participants
Dan Callahan
Kathleen Wilson
Eddy Nigg
Gervase Markham
External References
Similar Local Cases
Let's Encrypt: Attacker-controlled google.tg certificate being used in the wild.
StartCom's key for bogus www.mozilla.com certificate should be destroyed
StartCom: mis-issuance of certs with unvalidated domain names and bogus field values
WoSign issued SHA-1 SSL certs and backdated the issuance date on SSL certificates
Let's Encrypt: certs issued contrary to CPS due to incomplete blocklist
SHA-1 issuance by Visa root
SHA-1 issuance by DocuSign root
SHA-1 issuance by DigiCert roots