StartCom officially confirmed the report that Qihoo 360 decided to shut down the SSL certificate brand from the start of 2018. In 2020, all certificates will be revoked.
StartCom was an Israeli certificate authority that was sold to a Chinese CA called WoSign at the end of 2015. StartCom focused on offering root and intermediate certificates for WoSign, while also helping WoSign build public key infrastructure (PKI).
Surprising that Qihoo 360 announced the 100% control over StartCom in the second half of 2016, no employees of StartCom are working on WoSign premises and a part of the PKI is moved onto Qihoo 360’s servers. In September 2016, Firefox maker Mozilla proposed to stop trusting new digital certificates from the Chinese certificate authority for it intentionally back-dating certificates to avoid blocks on SHA-1 issuance in browsers.
Over the course of the next year, Google decided to distrust all certificates issued by WoSign and StartCom with the release of Chrome 61 because they failed to keep with the high standards expected of CAs. Apple was quick to follow Google’s move. In August 2017, Microsoft made the decision that it will remove WoSign and StartCom certificates in Windows 10.
Seeing little hope for StartCom as well as its parent company Wosign to recover from the loss of trust in certificate services by Google, Mozilla, Microsoft and Apple, the owner of StartCom—Qihoo 360 chooses to terminate StartCom as a Certificate Authority.
Currently, all code signing certificates of WoSign are offered by Certum and DigiCert. And the company has announced to change the English name into WoTrus, along with a new designed logo.
However, WoSign and StartCom are not the only certificate authorities to have their certificates distrusted by major browser makers. Symantec, used to be the world’s largest certificate authority, has its TLS certificates blacklisted by Google. Symantec was accused of misissued at least 3,000 certificates over a period spanning several years. In order to sharpen its enterprise focus, Symantec had no choice but to sell the website security business to DigiCert. As part of the deal, the company received $950 million in cash up front, and gained a 30% stake in DigiCert upon the closing of the transaction.
SSL certificate industry is facing a severe winter, a lot of observers said. Early 2017, the CA/Browser Forum voted to reduce the maximum certificate lifetime to 825 days for OV and DV SSL/TLS certificates. As of March 1, 2018, CAs will no longer issue 3-year OV and DV certificates. In addition to that, all reissues and duplicate issues of DV and OV certificates after February 28, 2018 will have access to at most 825 validity days, no matter how much time remains on them.