Slash Boxes

SoylentNews is people

posted by mrpg on Monday July 24 2017, @05:40AM   Printer-friendly
from the who-watches-the-watchers dept.

Last August, after being alerted by GitHub's security team that the certificate authority WoSign had errantly issued a certificate for a GitHub domain to someone other than GitHub, Google began an investigation in collaboration with the Mozilla Foundation and a group of security professionals into the company's certificate issuance practices. The investigation uncovered a pattern of bad practices at WoSign and its subsidiary StartCom dating back to the spring of 2015. As a result, Google moved last October to begin distrusting new certificates issued by the two companies, stating "Google has determined that two CAs, WoSign and StartCom, have not maintained the high standards expected of CAs and will no longer be trusted by Google Chrome."

WoSign (based in Shenzen, China) and StartCom (based in Eliat, Israel) are among the few low-cost certificate providers who've offered wildcard certificates. StartCom's StartSSL offers free Class 1 certificates, and $60-per-year wildcard certificates—allowing the use of a single certificate on multiple subdomains with a single confirmation. This made the service wildly popular. But bugs in WoSign's software allowed a number of misregistrations of certificates. One bug allowed someone with control of a subdomain to claim control of the whole root domain for certificates. The investigation also found that WoSign was backdating the SSL certificates it issued to get around the deadline set for certificate authorities to stop issuing SHA-1 SSL certificates by January 1, 2016. WoSign continued to issue the less secure SHA-1 SSL certificates well into 2016.

Source: Google drops the boom on WoSign, StartCom certs for good

Heads Roll as Qihoo 360 Moves to End Wosign, Startcom Certificate Row
Game Over for WoSign and StartCom Certificate Authorities?

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Interesting) by shipofgold on Monday July 24 2017, @12:04PM (3 children)

    by shipofgold (4696) on Monday July 24 2017, @12:04PM (#543641)

    While I understand the need to make WWW surfing easy for the unwashed masses, I would like for the browsers to include an option that by default distrusts all certificates until I can verify them and add them to a white list.

    This is similar to SSH's known_hosts list.

    The first time I surf to a site, I am presented with the certificate (including the CA who signed it) and can decide for myself whether I want to trust it.

    I just did a count of CAs in Chrome 58 and there are almost 100 listed. Any of these could issue a rogue certificate for my bank and the browser would accept it without a blink. I can't find a "remove" button to delete CAs I don't want in Chrome...since Google blessed it, I need to accept it I guess. I can explicitly distrust their certs, but then I can't see who is trusted and who is not.

    I agree that not everybody wants to go through the hassle of accepting every certificate, and exporting/importing the accepted list across computers and across browsers can be quite a hassle if you have multiple devices, but it is an option that is simple to implement and will allow those who want it.

    Most certificates will be easy to accept since I am not planning to give that site my information...just surf their info. Other sites like my bank I want to give extra scrutiny to make sure I am talking to who I think I am talking to.

    Starting Score:    1  point
    Moderation   +2  
       Interesting=2, Total=2
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 0) by Anonymous Coward on Monday July 24 2017, @12:06PM (2 children)

    by Anonymous Coward on Monday July 24 2017, @12:06PM (#543642)

    First thing I would get rid of are all CAs from China, Russia, Middle East and Africa.

    If I encounter a WWW site signed by one of these CAs, give me the scary warning and I will decide to click through or not.

    • (Score: 0) by Anonymous Coward on Monday July 24 2017, @01:52PM

      by Anonymous Coward on Monday July 24 2017, @01:52PM (#543679)

      Yeah. Only trust 'merican authorities. Can't trust the damn ruskies or chiners...

    • (Score: 0) by Anonymous Coward on Monday July 24 2017, @03:53PM

      by Anonymous Coward on Monday July 24 2017, @03:53PM (#543734)

      This message brought to you by "The NSA". When you want national security you know who not to call.