Changes

In July 2016, it became clear that there was some problems with the StartEncrypt automatic issuance service recently deployed by the CA StartCom. This was a StartCom-branded service and was not publicised as being able to issue certificates from WoSign. However, changing a simple API parameter in the POST request on the submission page changed the intermediate/root certificate to which the resulting certificate chained up. The value "2" made a certificate signed by "StartCom Class 1 DV Server CA", "1" selected "WoSign CA Free SSL Certificate G2" and "0" selected "CA 沃通根证书", another root certificate owned by WoSign and trusted by Firefox.

Using A security investigator used the value "1" led to a certificate , and acquired two certificates which had a notBefore date dates (usage start date) of 20th December 2015, and which was were signed using the SHA-1 checksum algorithm. (XXX To investigate[https://crt.sh/?q=30741722 Cert 1], [https: did the chain contain some SHA-256 certs//crt.sh/?)id=30741724 Cert 2].

* The issuance of certificates using SHA-1 has been banned by the Baseline Requirements since January 1st, 2016. Browsers, including Firefox, are enforcing this - in Firefox's case, for publicly-trusted CAs, since [https://bugzilla.mozilla.org/show_bug.cgi?id=1254667 Firefox 48], released on 1st August 2016.