Slash Boxes

SoylentNews is people

posted by cmn32480 on Tuesday October 11 2016, @05:01AM   Printer-friendly
from the certified-or-certifiable? dept.

Arthur T Knackerbracket has found the following story:

After being pinged by Mozilla for issuing backdated SHA-1 certificates, Chinese certificate authority WoSign's owner has put the cleaners through the management of WoSign and StartCom.

Mozilla put WoSign and StartCom on notice at the end of September.

As part of its response, the company has posted around 200,000 certificates with the Google transparency log server as well as on its own CT log server, covering everything issued in 2015 and 2016, with a promise to expand that to "all certificates past and present".

In this discussion thread, Bugzilla lead developer Gervase Markham explains that people from WoSign's majority shareholder Qihoo 360 and StartCom met with Mozilla representatives last Tuesday in London.

WoSign's full response is here (PDF). In it, as summarised in the mailing list discussion by StartCom founder Eddy Nigg, the company promises to:

Qihoo 360 is taking the issue of backdated SHA-1 certs, in January 2016, as the most serious violation, and the reason for the executive re-organisation.

The incident report states: "Wosign is in process of making legal and personnel changes in both WoSign and StartCom to ensure that both WoSign and StartCom have leadership that understand and follow the standards of running a CA".

The incident report lists more than 60 backdated certificates, including the one issued to Australian-headquartered payments processor Tyro (The Register has previously contacted Tyro for comment, but received no response).

Original Submission

Related Stories

Google Drops the Boom on WoSign, StartCom Certs for Good 8 comments

Last August, after being alerted by GitHub's security team that the certificate authority WoSign had errantly issued a certificate for a GitHub domain to someone other than GitHub, Google began an investigation in collaboration with the Mozilla Foundation and a group of security professionals into the company's certificate issuance practices. The investigation uncovered a pattern of bad practices at WoSign and its subsidiary StartCom dating back to the spring of 2015. As a result, Google moved last October to begin distrusting new certificates issued by the two companies, stating "Google has determined that two CAs, WoSign and StartCom, have not maintained the high standards expected of CAs and will no longer be trusted by Google Chrome."

WoSign (based in Shenzen, China) and StartCom (based in Eliat, Israel) are among the few low-cost certificate providers who've offered wildcard certificates. StartCom's StartSSL offers free Class 1 certificates, and $60-per-year wildcard certificates—allowing the use of a single certificate on multiple subdomains with a single confirmation. This made the service wildly popular. But bugs in WoSign's software allowed a number of misregistrations of certificates. One bug allowed someone with control of a subdomain to claim control of the whole root domain for certificates. The investigation also found that WoSign was backdating the SSL certificates it issued to get around the deadline set for certificate authorities to stop issuing SHA-1 SSL certificates by January 1, 2016. WoSign continued to issue the less secure SHA-1 SSL certificates well into 2016.

Source: Google drops the boom on WoSign, StartCom certs for good

Heads Roll as Qihoo 360 Moves to End Wosign, Startcom Certificate Row
Game Over for WoSign and StartCom Certificate Authorities?

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Tuesday October 11 2016, @09:15AM

    by Anonymous Coward on Tuesday October 11 2016, @09:15AM (#412858)
    If Mozilla is really interested in security for users they should make it easier for users to trust certs from certain sites even if the users don't trust the CAs, or only trust them to sign certain certs. And also help keep track of the different certs for the same site (warn them if they change unexpectedly, e.g. signed by a different CA despite existing cert being valid for months more, Certificate Patrol does something like that but can only track one cert per site and breaks down badly for many services nowadays that use multiple certs concurrently ).

    That way if one day say Gandi signs Wosign's certs and does other bad stuff, we can choose to distrust Gandi for new certs (maintain trust for old known certs, or if less paranoid maintain trust for certs signed before X date), while still being able to visit AND still detect if SN's certs have changed suddenly.

    Try it for yourself - go distrust Gandi and see whether you can still visit SN with Firefox. I wasn't able to when I did it. There's a workaround but to me it's not a good one.

    I may trust "Lets Encrypt" to sign random sites, but I would like a warning if one day my bank's cert is signed by them. Same if the certs of those random sites get changed way before they expire.

    To me this CA stuff is broken (less about security and more about making money) and actually self-signed certs are more secure. If you're seeing the same self-signed cert from different connections and locations and at different times, it's pretty likely that you're not being MITM at least at the TLS level. If you ever get a different cert, you'll get a warning. In contrast, for most sites if any of the 200+ CAs sign a cert (whether tricked or hacked or whatever) your browser trusts it and doesn't warn you.

    Sure one day that site might get hacked and you shouldn't trust their self-signed cert anymore, but if that site gets hacked their cert should be low on your list of concerns.

    Despite the brainwashing from CAs and their stooges you should trust an expired (not revoked!) cert that you've _already_ been trusting for years more than a new cert. Of course if too many people and their browsers did that the CAs would go out of business :).
    • (Score: 0) by Anonymous Coward on Tuesday October 11 2016, @10:14AM

      by Anonymous Coward on Tuesday October 11 2016, @10:14AM (#412878)

      Its a bit more broken then that inside the Firefox. In Firefox, certs are compiled into an .so object. Thereby preventing non-technical user from permanently removing them. Sure, you can distrust them, but you have to click like 300+ times in order to distrust all of them. There is NO good reason at all, to have it designed that way. Unless your want luser to keep trusting these CA's.

      • (Score: 0) by Anonymous Coward on Tuesday October 11 2016, @11:07AM

        by Anonymous Coward on Tuesday October 11 2016, @11:07AM (#412891)

        Microsoft's approach is even more broken: []

        Basically CA certificates that are signed by Microsoft or another suitable CA in your trusted store will get automatically added to your cert store and trusted.

        With this approach, unknown/future certificates that you might not want to trust, could still get added and trusted automatically. It's worse than Pokemon - you can't catch them all. On Windows Chrome uses Microsoft's Cert infra so it's vulnerable to this problem too.

        At least with Firefox, you only need to do this whack-a-mole when Mozilla adds certs to the Firefox's store.

  • (Score: 2) by zocalo on Tuesday October 11 2016, @09:31AM

    by zocalo (302) on Tuesday October 11 2016, @09:31AM (#412860)
    Apple is apparently revoking trust [] in WoSign's Free SSL Certificate G2 intermediate CA in a future MacOS security update, with no wiggle room like Mozilla has put on the table. That's only the intermediate used for Free SSL (Apple doesn't trust WoSign's root anyway), but that's still not likely to score points in WoSign's favour with the other root CA stores like Mozilla, Google and Microsoft.
    UNIX? They're not even circumcised! Savages!
  • (Score: 2) by datapharmer on Tuesday October 11 2016, @10:11AM

    by datapharmer (2702) on Tuesday October 11 2016, @10:11AM (#412876)

    Good riddance. I've used this registrar before for free certificates. They issued but would not renew a certificate with the word salesforce in the sub domain because it "could be used for spoofing".

    They told me I had to get permission from owners to use "salesforce" as a subdomain. I had salesforce support email them, but hey said it had to be the actual owner listed by Whois, so I gave up and ordered a wildcard certificate instead.

    You're telling me that after all that they were backdating certificates? What the heck?

    • (Score: 2) by zocalo on Tuesday October 11 2016, @11:07AM

      by zocalo (302) on Tuesday October 11 2016, @11:07AM (#412892)
      Wow, that's really clueless. When was this though? Startcom used to be OK-ish, if slightly shady (lots of certs issued outside of their ToS), while they were still operated out of Israel, but one of Mozilla's issues with WoSign implies they may have moved the StartCom certificate issuing systems over to China. The timescale on this is sketchy as to what happened when, but must be some time after WoSign secretly acquired StartCom in November 2015 and when the infrastructure transfer was definitely completed on 1st September 2016 - no telling when staff in China started issuing the certs in that window though.
      UNIX? They're not even circumcised! Savages!
  • (Score: 0) by Anonymous Coward on Wednesday October 12 2016, @01:34AM

    by Anonymous Coward on Wednesday October 12 2016, @01:34AM (#413202)

    Please don't make the mistake of installing this antivirus. It's being featured on more and more Windows free/shareware/trial software download sites.

    The amount of information it sends back is very disturbing. And what further data is sent back following installation and initial data sent?