Bulletproof TLS Newsletter #53
Certificate Authority Certinomis removed from Firefox browser
30 May 2019
Author: Hanno Böck

This issue was distributed to 50,635 email subscribers.

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

  1. Certificate Authority Certinomis removed from Firefox browser
  2. Short news

Certificate Authority Certinomis removed from Firefox browser

Another certificate authority is being removed from browsers due to repeated violations of certificate validation rules. In April, Andrew Ayer noticed that Certinomis had issued fourteen precertificates for an unregistered domain name and reported it to Mozilla. In the discussion that followed in the bug tracker, Google developer Ryan Sleevi raised several concerns about the reaction of Certinomis.

Mozilla members collected information about this and previous issues with Certinomis in a Wiki page, and Mozilla’s Wayne Thayer asked the community for input. The previous issues included a subcertificate that was given to StartCom back in 2017 when the existing StartCom certificates were distrusted. Also, there was a variety of cases in which Mozilla was unhappy with the lack of response from Certinomis to problems.

It seems the number of incidents and the insufficient response from Certinomis led to a decision at Mozilla to distrust the certificate authority completely and remove its root certificate from the Mozilla root store.

Meanwhile, security issues with Certinomis seem to continue. New certificates with invalid object identifiers (OIDs) and new certificates for unregistered domains were issued by the end of May.

Short news