Traditionally it's difficult for browser vendors to revoke a root CA as they want to grandfather in old certificates, so existing sites don't have the rug pulled out from under their feet when their only crime is using a crap CA.
Partial solutions include blocking the CA's certs based on the issuance date or insisting they hand over a list of the certs they've issued - but if the CA is going down in flames anyway, they have no incentive to cooperate; they can backdate certs and destroy their own customer list.
My theory is [1] this is one of the side benefits of Certificate Transparency - CT will give browser vendors a list of certs to grandfather in if they decide to shut down a CA against its will.
That's exactly the internet equivalent of too big to fail banks. And like for banks it is unacceptable. The internet needs its Lehman moment to become resilient again. We should let a Comodo fail.
Trust of a CA doesn't have to be binary - it could be stochastic.
Let's say that when a browser wishes to revoke a CA certificate, it chooses a timeframe for a "deprecation period". Before the deprecation period, the CA is fully trusted. After the deprecation period, it has been completely eliminated.
During the deprecation period, a browser will possibly pop up an error page rather than accepting the certificate. The probability of this happening increases as the deprecation period advances, slowly "turning up the pain" (likely exponentially or quadratically, for slow initial growth).
A reload will clear the error and load the page (or perhaps go through the probability again). Obviously it would be good if the site were notified through a header that this was happening. And user feedback will accomplish the same thing in a cruder manner.
Proactive sites would move off before the deprecation period even began. Less connected sites would get user reports and move off early in the period. Negligent sites would see their users migrate to different sites as their functionality got ever worse.
Their punishment would be having to pay for another certificate and install it and using a more reputable one and not necessarily the cheapest one around next time. I think in this case the punishment fits the crime perfectly.
Give them a month, publicize in the relevant places, and that's that. If a site gets caught out it's not the end of the world. If they have big money on the line then they can afford to have someone on staff that keeps up with this stuff.
Yikes. If all of that is true, surely Google will permanently ban WoSign from Chrome? And I would hope Mozilla and Microsoft, too, but Google is usually the one to "play tough" with rogue CAs (and I hope they will strive to develop and maintain that reputation).
> Yikes. If all of that is true, surely Google will permanently ban WoSign from Chrome? And I would hope Mozilla and Microsoft, too, but Google is usually the one to "play tough" with rogue CAs (and I hope they will strive to develop and maintain that reputation).
This will most likely happen, because a) the CA is not a western CA and b) it was due to incompetence.
If they had been competent but intentionally and willfully broken the trust of the CA system, assuming they had enough money, they would keep their CA cert. Case in point: TrustWave still has their CA certificate after intentionally selling sub-CAs for the purpose of MITM! But don't worry, they promised they'll never to it again, honest.
Wosign is not in the list of default CAs on the Mac, according to Keychain, so if you are using Chrome on a Mac, since Chrome only uses the system's root certs, you should be safe as long as you don't go add that root cert into Keychain. Wosign is in Firefox however, so Mozilla needs to do something about this.
This is a pretty misleading title for a couple of reasons:
1) WoSign may face revocation (I doubt it but I don't know), but there is no evidence of that in this article. This is just one person not affiliated with a root program "calling for" it. People on the internet call for revocation of major CA roots all the time.
2) I don't really know what a "fake" cert is, it's a very strange choice of words. I would think a fake cert is not a real cert, and in that case issuing fake certs is fine because browsers won't trust them. It seems the problem here is that real certs were issued when they shouldn't have been. That's called "mis-issuance", not "fake certs."
You are just being pedantic. The meaning is perfectly clear, they are creating certificates for a domain and giving them to people who do not control/own that domain. Pick whatever word you like to describe this. The story is very clear.
Too big to fail my ass. There's no such thing when it comes to security. If anything, that's more reason to cut them loose.
If a CA pulls shit like this they need to be revoked immediately and let the wrath of 1000s of businesses that are impacted by cert warnings rain down upon them. That will 1) Solve the security problem immediately and 2) Publicize what it means to get a cert from a crap CA that doesn't care about security.
Sure it will suck for the "little guy" who didn't know but, if you don't do this, he'll never know and never learn.
The root certificates trusted by Windows are fetched from Microsoft's servers as needed. You can download all of them using the command:
certutil -generateSSTFromWU roots.sst
Then if you open up roots.sst (it opens in certmgr.msc) and sort by Friendly Name, you should see the WoSign roots. You can then export these and import them into the Untrusted Certificates store if you wish to block WoSign as a trusted root.
So what's the relation to StartCom/StartSSL? I remember reading some comments about half a year ago mentioning that the startssl website suddenly was hosted on Chinese IP addresses, just around the time they redesigned the web page. This seemed fishy enough back then that I finally switched from startssl to letsencrypt for non-wildcard certs and actually started paying a different CA for wildcart certs...
Did the StartSSL root CA change hands / was it sold to a Chinese company (Wosign?)
I seem to remember the CEO used to be vocal in various ssl and ca forums and on bugzilla earlier.... But no comments lately?
This came up on the Mozilla mailing list and the most likely explanation is that they're sharing some infrastructure, i.e. one CA is hosting the other[1]. This is apparently quite common in the industry.
I don't think the Baseline Requirements (or any of the root program policies) currently require that CAs disclose these arrangements. I don't think CA hosting is inherently bad (in many cases I'd actually be happy to know that a CA is not running their own infrastructure), but it would probably be a good idea to force CAs to be transparent about it. If it's publicly known that WoSign and StartCom use the same domain validation infrastructure (just as an example, this might not be the case), that fact would be highly relevant for this discussion.
Can't browsers at least restrict CAs like WoSign so that their roots are only accepted for .cn domains?
I realize that X.509 name constraints are utterly broken, but that doesn't mean that browsers can't manually restrict the domains that a given root is accepted for.
Is there an easy way for me to revoke trust from all Chinese CAs? Anyone in China is ultimately subject to being forced to do the dirty work of the Chinese Communist Party. Why are browser and OS vendors even trusting them in the first place?
I untrusted all Chinese-sounding CAs from "System Roots" under "Keychain Access" in OSX as soon as I got my laptop. That's what Chrome and Safari verify against.
[+] [-] michaelt|9 years ago|reply
Partial solutions include blocking the CA's certs based on the issuance date or insisting they hand over a list of the certs they've issued - but if the CA is going down in flames anyway, they have no incentive to cooperate; they can backdate certs and destroy their own customer list.
My theory is [1] this is one of the side benefits of Certificate Transparency - CT will give browser vendors a list of certs to grandfather in if they decide to shut down a CA against its will.
[1] https://www.mjt.me.uk/posts/certificate-transparency/
[+] [-] cm2187|9 years ago|reply
[+] [-] LoSboccacc|9 years ago|reply
thing is the whole castle is built upon trust.
if you don't punish crap CA and ppl who don't do research first, things will deteriorate rapidly.
[+] [-] Buetol|9 years ago|reply
[+] [-] mindslight|9 years ago|reply
Let's say that when a browser wishes to revoke a CA certificate, it chooses a timeframe for a "deprecation period". Before the deprecation period, the CA is fully trusted. After the deprecation period, it has been completely eliminated.
During the deprecation period, a browser will possibly pop up an error page rather than accepting the certificate. The probability of this happening increases as the deprecation period advances, slowly "turning up the pain" (likely exponentially or quadratically, for slow initial growth).
A reload will clear the error and load the page (or perhaps go through the probability again). Obviously it would be good if the site were notified through a header that this was happening. And user feedback will accomplish the same thing in a cruder manner.
Proactive sites would move off before the deprecation period even began. Less connected sites would get user reports and move off early in the period. Negligent sites would see their users migrate to different sites as their functionality got ever worse.
[+] [-] smsm42|9 years ago|reply
Their punishment would be having to pay for another certificate and install it and using a more reputable one and not necessarily the cheapest one around next time. I think in this case the punishment fits the crime perfectly.
[+] [-] bradleyjg|9 years ago|reply
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] mtgx|9 years ago|reply
> Possible fake cert for Alibaba, the largest commercial site in China https://crt.sh/?id=29884704
> Possible fake cert for Microsoft https://crt.sh/?id=29805555
Yikes. If all of that is true, surely Google will permanently ban WoSign from Chrome? And I would hope Mozilla and Microsoft, too, but Google is usually the one to "play tough" with rogue CAs (and I hope they will strive to develop and maintain that reputation).
[+] [-] throwaway7767|9 years ago|reply
This will most likely happen, because a) the CA is not a western CA and b) it was due to incompetence.
If they had been competent but intentionally and willfully broken the trust of the CA system, assuming they had enough money, they would keep their CA cert. Case in point: TrustWave still has their CA certificate after intentionally selling sub-CAs for the purpose of MITM! But don't worry, they promised they'll never to it again, honest.
[+] [-] wyuenho|9 years ago|reply
[+] [-] estebank|9 years ago|reply
https://www.schrauger.com/the-story-of-how-wosign-gave-me-an...
[+] [-] MichaelGG|9 years ago|reply
[+] [-] verroq|9 years ago|reply
[+] [-] jaas|9 years ago|reply
1) WoSign may face revocation (I doubt it but I don't know), but there is no evidence of that in this article. This is just one person not affiliated with a root program "calling for" it. People on the internet call for revocation of major CA roots all the time.
2) I don't really know what a "fake" cert is, it's a very strange choice of words. I would think a fake cert is not a real cert, and in that case issuing fake certs is fine because browsers won't trust them. It seems the problem here is that real certs were issued when they shouldn't have been. That's called "mis-issuance", not "fake certs."
[+] [-] joosters|9 years ago|reply
You are just being pedantic. The meaning is perfectly clear, they are creating certificates for a domain and giving them to people who do not control/own that domain. Pick whatever word you like to describe this. The story is very clear.
[+] [-] jwilk|9 years ago|reply
[+] [-] koolba|9 years ago|reply
If a CA pulls shit like this they need to be revoked immediately and let the wrath of 1000s of businesses that are impacted by cert warnings rain down upon them. That will 1) Solve the security problem immediately and 2) Publicize what it means to get a cert from a crap CA that doesn't care about security.
Sure it will suck for the "little guy" who didn't know but, if you don't do this, he'll never know and never learn.
[+] [-] mariuolo|9 years ago|reply
If a vendor/CA/whatever knows that they will die if anything comes out, they will bury things like this even deeper.
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] guelo|9 years ago|reply
[+] [-] besselheim|9 years ago|reply
[+] [-] hannob|9 years ago|reply
[+] [-] kobayashi|9 years ago|reply
[+] [-] 0x0|9 years ago|reply
Did the StartSSL root CA change hands / was it sold to a Chinese company (Wosign?)
I seem to remember the CEO used to be vocal in various ssl and ca forums and on bugzilla earlier.... But no comments lately?
[+] [-] psz|9 years ago|reply
[+] [-] pfg|9 years ago|reply
I don't think the Baseline Requirements (or any of the root program policies) currently require that CAs disclose these arrangements. I don't think CA hosting is inherently bad (in many cases I'd actually be happy to know that a CA is not running their own infrastructure), but it would probably be a good idea to force CAs to be transparent about it. If it's publicly known that WoSign and StartCom use the same domain validation infrastructure (just as an example, this might not be the case), that fact would be highly relevant for this discussion.
[1]: https://groups.google.com/d/msg/mozilla.dev.security.policy/...
[+] [-] jlgaddis|9 years ago|reply
[+] [-] tonicoto|9 years ago|reply
[+] [-] amluto|9 years ago|reply
I realize that X.509 name constraints are utterly broken, but that doesn't mean that browsers can't manually restrict the domains that a given root is accepted for.
[+] [-] wildmusings|9 years ago|reply
[+] [-] aianus|9 years ago|reply
[+] [-] mlvljr|9 years ago|reply
[deleted]
[+] [-] nguoiduatin196|9 years ago|reply
[deleted]