For most internet users, the small lock icon in the browser address bar is a symbol of safety. It indicates that communication between the user and a website is encrypted and verified through a digital certificate. Behind this simple visual cue lies a complex infrastructure built on trust between browsers, websites, and certificate authorities.
In 2016, that trust was shaken when serious problems were discovered involving two certificate authorities: WoSign and StartCom. Investigations revealed a pattern of improper certificate issuance, policy violations, and failure to disclose security incidents. Eventually, major browser vendors decided to revoke trust in certificates issued by these companies.
The incident became one of the most significant examples of how a certificate authority can lose the trust of the internet ecosystem.
The Role of Certificate Authorities
When a user visits a secure website using HTTPS, the website presents a digital certificate verifying that it controls the domain name. This certificate is issued by a trusted certificate authority (CA).
Browsers rely on a list of trusted certificate authorities embedded in their software. If a certificate is signed by one of these authorities, the browser accepts it and establishes an encrypted connection.
This system works because certificate authorities are expected to follow strict verification procedures before issuing certificates. These procedures ensure that only legitimate domain owners can obtain certificates for their websites.
If a CA fails to follow these rules, attackers could obtain certificates for domains they do not control. Such certificates could be used for phishing, malware distribution, or man-in-the-middle attacks.
The WoSign / StartCom scandal exposed serious weaknesses in how some certificate authorities were operating.
Who Were WoSign and StartCom?
WoSign was a Chinese certificate authority founded in 2006. The company provided SSL/TLS certificates to websites worldwide and had its root certificates trusted by major browsers.
StartCom, based in Israel, was another certificate authority known for offering free SSL certificates through its StartSSL service.
In 2015, WoSign quietly acquired StartCom. However, this acquisition was not initially disclosed to browser vendors or the broader security community.
The lack of transparency around this acquisition later became one of the central issues in the controversy.
Early Signs of Problems
The first major concerns about WoSign appeared when security researchers discovered that the company had issued certificates that violated industry rules.
One particularly alarming case involved a researcher who was able to obtain a certificate for a domain he did not control.
The researcher managed to obtain a valid certificate for www.ucf.edu, a domain belonging to the University of Central Florida. This occurred because of weaknesses in the domain validation process used by the certificate authority.
Domain validation is supposed to prove that the applicant controls the domain name before a certificate is issued. In this case, the validation process was flawed.
If a malicious actor had exploited the same weakness, they could have obtained certificates for websites they did not own.
Improper Backdating of Certificates
As investigators continued examining WoSign’s operations, they discovered additional irregularities.
One of the most controversial practices involved backdating certificates.
In 2015, the certificate authority industry implemented a rule limiting the validity of SSL certificates to a maximum of 39 months. However, WoSign issued certificates with longer lifetimes by manipulating the issuance dates.
By backdating certificates to earlier dates, the company made them appear compliant with industry policies even though they were not.
This practice violated the rules set by the CA/Browser Forum, the industry group responsible for establishing standards for certificate authorities and browsers.
Hidden Acquisition of StartCom
Another major issue emerged when it was discovered that WoSign had secretly acquired StartCom.
The acquisition occurred in 2015, but the company did not immediately inform browser vendors about the change in ownership.
Transparency is critical in the certificate authority ecosystem. Browser vendors must know who controls certificate authorities because ownership changes could introduce new security or regulatory risks.
When the undisclosed acquisition became public, it raised serious concerns about governance and accountability.
The discovery intensified scrutiny of both companies’ operations.
Growing Distrust from Browser Vendors
As more information surfaced, browser vendors began to lose confidence in WoSign and StartCom.
Companies responsible for major web browsers—including:
- Mozilla
- Microsoft
- Apple
began investigating whether the certificate authorities could still be trusted.
The central issue was not just individual mistakes but a pattern of problematic behavior. Investigators found evidence of:
- improper certificate issuance
- policy violations
- insufficient transparency
- delayed disclosure of incidents
These concerns suggested deeper governance problems rather than isolated technical errors.
Browser Vendors Take Action
After months of investigation, browser vendors decided to take action.
Instead of immediately distrusting all existing certificates, they introduced a phased revocation of trust.
Browsers announced that they would stop trusting new certificates issued by WoSign and StartCom after certain dates.
This meant that websites using newly issued certificates from these authorities would begin to trigger browser warnings.
Eventually, trust in the companies’ root certificates was removed entirely.
This decision effectively ended the ability of WoSign and StartCom to operate as publicly trusted certificate authorities.
Impact on Website Owners
The decision created significant disruption for websites using certificates issued by the affected authorities.
Organizations that relied on WoSign or StartCom certificates had to replace them with certificates from other trusted providers.
If they failed to do so, visitors would see browser warnings indicating that the site’s security certificate could not be trusted.
For businesses, such warnings can damage user confidence and lead to lost traffic or sales.
As a result, many organizations rushed to migrate their certificates before the trust deadlines took effect.
The Importance of Transparency
One of the biggest lessons from the WoSign / StartCom scandal was the importance of transparency in the certificate authority ecosystem.
Certificate authorities operate as trusted guardians of internet security. Because of this role, they must maintain open communication with browser vendors and the security community.
Failing to disclose security incidents or ownership changes undermines trust in the entire system.
The WoSign case demonstrated that transparency failures can be just as damaging as technical vulnerabilities.
Strengthening the Certificate Ecosystem
The scandal contributed to broader efforts to strengthen the security and accountability of certificate authorities.
Several improvements in the TLS ecosystem gained momentum during this period.
One of the most important developments was the widespread adoption of Certificate Transparency.
Certificate Transparency logs provide a public record of all certificates issued by participating certificate authorities. Security researchers and organizations can monitor these logs to detect suspicious certificates.
If a certificate appears that was issued improperly, it can be investigated and revoked quickly.
This system helps prevent unauthorized certificates from remaining undetected.
Why the Incident Still Matters
The WoSign / StartCom scandal was a turning point in how the internet community deals with trust in certificate authorities.
Unlike earlier incidents such as the collapse of DigiNotar, which involved direct hacking, the WoSign case demonstrated that policy violations and governance failures can also threaten internet security.
The episode showed that browser vendors are willing to revoke trust from certificate authorities that fail to follow industry standards.
It also reinforced the importance of strict auditing, transparency, and accountability in the certificate authority ecosystem.
Conclusion
The WoSign / StartCom scandal was one of the most significant certificate authority controversies of the past decade. Through a combination of improper certificate issuance, policy violations, and lack of transparency, the two companies lost the trust of the browser vendors that form the backbone of the web’s security model.
As a result, major browsers gradually revoked trust in their certificates, forcing websites to migrate to other providers.
The incident serves as an important reminder that the security of the internet depends not only on cryptography but also on the integrity and accountability of the organizations responsible for managing digital trust.
In the years since the scandal, improvements such as certificate transparency, stronger auditing standards, and stricter industry oversight have helped strengthen the TLS ecosystem. Nevertheless, the lessons from the WoSign / StartCom case continue to shape how the internet community safeguards trust in secure communication.