WoSign/StartCom 2016
The CAs That Lied
Backdated certificates, a secret acquisition, and the lies that killed two Certificate Authorities.
Quick Facts
| CAs | WoSign (China) + StartCom (Israel) |
| Year | 2016 |
| Attack Type | Internal deception - backdating, secret acquisition, lying |
| Backdated Certificates | 64+ SHA-1 certificates issued after deadline |
| Secret Acquisition | StartCom bought Nov 2015, hidden for ~1 year |
| Time to Distrust | Gradual - 18 months from disclosure to full removal |
| Outcome | StartCom shut down Jan 2018, WoSign damaged |
| The Lesson | Deception is fatal. Browsers investigate. They will find the truth. |
The 30-Second Version
The Players
| Entity | Role |
|---|---|
| WoSign | Chinese CA known for free certificates |
| StartCom | Israeli CA (StartSSL), also offered free certs since 1999 |
| Qihoo 360 | Chinese megacorp that owned WoSign |
| Richard Wang | WoSign CEO who approved the backdating |
| Mozilla | Led the investigation (Gervase Markham) |
| Coordinated distrust with Mozilla |
How It Started
GitHub Gets a Surprise Certificate
In mid-2016, GitHub's security team noticed something strange: a certificate had been issued for a GitHub domain - but GitHub hadn't requested it. The certificate was issued by WoSign.
GitHub alerted Google, who began investigating.
What They Found
The investigation revealed a pattern of problems at WoSign:
- •Certificates issued without proper domain validation
- •A vulnerability that allowed anyone to get certs for domains they didn't control
- •SHA-1 certificates issued after the January 1, 2016 deadline
- •And something even more suspicious...
The Secret Acquisition
November 2015
WoSign quietly acquired StartCom, an Israeli CA.
The Problem
CAs are required to disclose ownership changes to browser root programs. WoSign didn't.
When Mozilla investigators started digging, they found:
- •StartCom and WoSign were sharing infrastructure
- •StartCom certificates showed "WoSign fingerprints" in their style
- •The two "separate" CAs were operating as one
- •WoSign had hidden the acquisition through a chain of shell companies
Why It Mattered
Browser vendors need to know who owns a CA because:
Accountability
Ownership affects who is responsible
Liability
Parent companies inherit CA actions
Trust
Decisions depend on knowing who's in charge
WoSign deliberately hid this information for nearly a year.
The Backdating Scandal
The SHA-1 Deadline
The CA/Browser Forum set January 1, 2016 as the deadline: no more SHA-1 certificates after that date. Browsers would enforce this by checking the certificate's "notBefore" date.
WoSign's "Solution"
Instead of complying, WoSign backdated certificates:
The Evidence
Mozilla's investigation found at least 64 backdated SHA-1 certificates from WoSign, plus 2 from StartCom.
Even more damning: WoSign's own system had a dropdown that let operators select which CA to use - and selecting certain options would automatically generate backdated certificates.
This wasn't a bug. It was a feature.
The Lies
Throughout the investigation, WoSign repeatedly misled browser vendors:
| What WoSign Said | The Truth |
|---|---|
| "We didn't acquire StartCom" | They completed the acquisition in November 2015 |
| "StartCom operates independently" | They shared infrastructure, staff, and policies |
| "Only 127 certificates were mis-issued" | At least 30,000 certificates had problems |
| "We've fixed the issues" | New problems kept being discovered |
The Meeting
In October 2016, Qihoo 360 executives met with Mozilla in London to try to negotiate a settlement. Mozilla wasn't buying it.
The Timeline
| Date | Event |
|---|---|
| Nov 2015 | WoSign secretly acquires StartCom |
| Jan 1, 2016 | SHA-1 deadline passes |
| Jan-Jul 2016 | WoSign issues backdated SHA-1 certificates |
| Mid-2016 | GitHub alerts Google about unauthorized certificate |
| Aug 2016 | Mozilla begins formal investigation |
| Sep 2016 | Mozilla publishes devastating investigation report |
| Sep 30, 2016 | Apple announces distrust |
| Oct 2016 | Qihoo 360 fires CEO Richard Wang |
| Oct 21, 2016 | Distrust date - new certificates won't be trusted |
| Oct 24, 2016 | Mozilla formally announces distrust |
| Nov 1, 2016 | Google announces Chrome will distrust |
| Sep 2017 | Chrome 61 fully distrusts all WoSign/StartCom |
| Nov 2017 | StartCom announces shutdown |
| Jan 1, 2018 | StartCom stops issuing certificates |
| Jan 2018 | Firefox 58 removes all WoSign/StartCom roots |
The Browser Response
Unlike DigiNotar (immediate full distrust) or Symantec (gradual), WoSign/StartCom got a phased approach:
Phase 1: Date-Based Distrust
- • Certificates issued after October 21, 2016 → Not trusted
- • Certificates issued before → Still trusted (for now)
Phase 2: Whitelist Reduction
- • Chrome 57: Only trust certs for Alexa Top 1M sites
- • Chrome 58: Only trust certs for Alexa Top 500K sites
Phase 3: Full Removal
- • Chrome 61 (September 2017): Full distrust
- • Firefox 58 (January 2018): Full distrust
Why the Gradual Approach?
Both WoSign and StartCom had large customer bases (they offered free certificates before Let's Encrypt existed). An immediate kill would have broken too many sites.
The Lessons
1.Deception Is Fatal
WoSign didn't just make mistakes - they actively lied about them. The coverup was worse than the crime.
When you're caught, transparency is your only hope. Lying destroys any remaining trust.
2.Browser Vendors Investigate
Mozilla's Gervase Markham personally led a months-long investigation. He read audit reports, analyzed certificate data, and pieced together the secret acquisition.
Browser vendors have the resources and motivation to uncover the truth. Don't assume you won't get caught.
3.Free Certificates Aren't Free
Both WoSign and StartCom attracted users with free certificates. But "free" meant cutting corners on validation and compliance.
When choosing a CA, price shouldn't be the only factor. (Note: Let's Encrypt is free AND properly operated - it's possible, just not automatic.)
4.Ownership Matters
The secret StartCom acquisition showed why disclosure requirements exist. If a CA gets acquired by an entity you don't trust, you need to know.
CA ownership and governance matter as much as technical security.
5.Backdating Is Detectable
WoSign thought they could hide SHA-1 certificates by manipulating dates. Certificate Transparency logs made them discoverable anyway.
With CT, everything is public eventually. Don't try to hide issuance.
The Aftermath
WoSign
Tried to continue operating but lost most of its market. The brand was irreparably damaged.
StartCom
Attempted to rebuild under Qihoo 360 management. In November 2017, they announced closure, citing inability to regain browser trust. Shut down January 1, 2018.
Richard Wang
Fired as CEO but reportedly continued working at WoSign as COO while "searching for a new CEO."
Qihoo 360
Lost both CA businesses. The megacorp's reputation in the security community was severely damaged.
Let's Encrypt
The timing was fortunate. Let's Encrypt launched in 2016, providing a free, trustworthy alternative just as WoSign/StartCom collapsed.
WoSign vs. Other CA Failures
| WoSign (2016) | DigiNotar (2011) | Entrust (2024) | |
|---|---|---|---|
| Root cause | Deliberate deception | External breach | Compliance failures |
| Lying involved? | Yes, repeatedly | Yes (hid breach 41 days) | No (just disagreed) |
| Human impact | Business disruption | ~300K surveilled | Business disruption |
| Distrust speed | Gradual (18 months) | Immediate (3 days) | 5 months |
| Outcome | StartCom closed | Bankrupt in 24 days | CA sold to Sectigo |
FAQ
Why were WoSign and StartCom treated together?
Because WoSign secretly owned StartCom and they were sharing infrastructure. They were effectively one organization pretending to be two.
Did StartCom do anything wrong itself?
StartCom issued backdated certificates after being acquired by WoSign. They also failed to disclose the ownership change. Whether the Israeli team knew about WoSign's other issues is unclear.
Why did the gradual distrust take so long?
Both CAs had significant customer bases from offering free certificates. Browser vendors wanted to give site owners time to migrate without mass breakage.
Could a CA do this backdating today?
Much harder. Certificate Transparency logs now record issuance time independently. Backdated certs would show a mismatch between CT log timestamp and certificate notBefore date.
What happened to customers using WoSign/StartCom certificates?
They had to replace their certificates with ones from other CAs. DigiCert, Let's Encrypt, Sectigo, and others absorbed the migration.