30 May 2019
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Hanno Böck.
Another certificate authority is being removed from browsers due to repeated violations of certificate validation rules. In April, Andrew Ayer noticed that Certinomis had issued fourteen precertificates for an unregistered domain name and reported it to Mozilla. In the discussion that followed in the bug tracker, Google developer Ryan Sleevi raised several concerns about the reaction of Certinomis.
Mozilla members collected information about this and previous issues with Certinomis in a Wiki page, and Mozilla’s Wayne Thayer asked the community for input. The previous issues included a subcertificate that was given to StartCom back in 2017 when the existing StartCom certificates were distrusted. Also, there was a variety of cases in which Mozilla was unhappy with the lack of response from Certinomis to problems.
It seems the number of incidents and the insufficient response from Certinomis led to a decision at Mozilla to distrust the certificate authority completely and remove its root certificate from the Mozilla root store.
Meanwhile, security issues with Certinomis seem to continue. New certificates with invalid object identifiers (OIDs) and new certificates for unregistered domains were issued by the end of May.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 2,000 students who have benefited from more than a decade of deep TLS and PKI expertise.