What started in Firefox 51 ends in 58 as Mozilla removes a pair of disabled roots:

The decline of WoSign and StartCom has been one of the bigger stories in the SSL industry over the past year or so, and his January will likely mark the final chapter.

In a blog post written on August 30th on its Security Blog, Mozilla Program Manager Kathleen Wilson confirms the final phase of the plan: completely removing WoSign and StartCom's root certificates from Mozilla's root store in Firefox 58.

Mozilla, which is following the same action being taken by the other major browsers, announced its intention to remove the roots back in October of 2016, when it also announced that it would stop validating new certificates chaining to said root certificates. That change was made in Firefox 51.

As of January 2018, when Firefox 58 is released, Mozilla will have removed the roots from its trust store. Per Wilson: "Websites using certificates chaining up to any of the following root certificates need to migrate to another root certificate."

Mozilla will be removing the following root certificates in January 2018:

  • Certification Authority of WoSign
  • Certification Authority of WoSign G2
  • CA WoSign ECC Root
  • StartCom Certification Authority
  • StartCom Certification Authority G2

Why All the Distrust?

If you're looking for the short version, it's this: WoSign and StartCom, which are basically the same company, got caught mis-issuing SSL certificates in order to circumvent CAB Forum standards. The CAB Forum is the congress of Web Browsers and Certificate Authorities that acts as the de facto regulatory body for the SSL industry.

After a series of meetings, WoSign's CEO resigned and the browsers outlined a plan in which both CAs would be gradually distrusted until their roots would be removed from trust stores.

As Mozilla announced yesterday, the final deadline is in January.