Google now like Mozilla no longer to trust WhoSign & StartCom certification.:
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.htmlAlso read here on certificate transparency:
https://www.certificate-transparency.org/what-is-ctApart from what we read there, there seems more insecurity coming from SSL证书_HTTPS加密_SSL数字证书 - 沃通CA【官网】
Only when we check here we see that the certificate is installed correctly:
https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jspCertificate information
This server uses an Extended Validation (EV) certificate. Information about the site owner has been fully validated by WoSign CA Limited to help secure personal and financial information.
Common name:
www.wosign.com
SAN:
www.wosign.com, wosign.com, xn--buw427e.xn--fiqz9s, xn--buw427e.xn--fiqs8s, xn--buw427e.cn, xn--buw427e.com, wosign.tw, www.wosign.tw, wosign.us, www.wosign.us, wosign.hk, www.wosign.hk, wosign.com.hk, www.wosign.com.hk, wosign.com.cn, www.wosign.com.cn, wosign.cn, www.wosign.cn
Valid from:
2016-Feb-24 07:24:45 GMT
Valid to:
2018-Apr-24 07:24:45 GMT
Certificate status:
Valid
Revocation check method:
OCSP
Organization:
WoSign 沃通电子认证服务有限公司
Organizational unit:
City/locality:
深圳市
State/province:
广东省
Country:
CN
Certificate Transparency:
Embedded in certificate
Serial number:
28a6d32c2b971b896cd0de9477fd2a06
Algorithm type:
SHA256withRSA
Key size:
2048
Certificate chainShow details
Certification Authority of WoSignIntermediate certificate
WoSign Class 4 EV Server CA G2Intermediate certificate
www.wosign.comTested certificate
Server configuration
Host name:
211.151.125.105
Server type:
Microsoft-IIS/7.5
IP address:
211.151.125.105
Port number:
443
Protocols enabled:
TLS1.2
TLS1.1
TLS1.0
Protocols not enabled:
SSLv3
SSLv2
Secure Renegotiation:
Enabled
Downgrade attack prevention:
Not Enabled
Next Protocol Negotiation:
Not Enabled
Session resumption (caching):
Enabled
Session resumption (tickets):
Not Enabled
Strict Transport Security (HSTS):
Not Enabled
SSL/TLS compression:
Not Enabled
Heartbeat (extension):
Not Enabled
RC4:
Not Enabled
OCSP stapling:
Enabled
Vulnerabilities checked:
Heartbleed
Poodle (TLS)
Poodle (SSLv3)
FREAK
BEAST
CRIME
Cipher suites enabled:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000A)
TLS_RSA_WITH_AES_128_CBC_SHA (0x002F)
TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003C)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003D)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xC013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028)
But here where we see it go wrong:
https://asafaweb.com/Scan?Url=https%3A%2F%2Fwosign.comwith a custom errors: Fail and excessive headers warning and a clickjacking warning.
The F-Status here is not building more confidence either:
https://observatory.mozilla.org/analyze.html?host=wosign.comas is this one here:
https://sritest.io/#report/8353f268-5c60-4145-9d50-d22f5ba5f7f2Retirable jQuery library: -https://wosign.com
Detected libraries:
jquery - 1.11.3 : (active1) -https://wosign.com/JS/jquery-1.11.3.min.js
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/(active) - the library was also found to be active by running code
1 vulnerable library detected
Others could check similarly on StartCom. I doubt the situation is very much different from that at WhoSign's.
polonus (volunteer website security analyst and website error-hunter)