>We also hope the public can see that when there are allegations of CA wrongdoing, Mozilla is committed to a fair, transparent and thorough investigation of the facts of each case.
I'm very happy to see the way Mozilla handled this incident, both with the process and the conclusion. I have a moderate trust in the CA ecosystem as a whole, but I'm glad to see that overwhelming incompetence, if not outright maliciousness, does have consequences even to big CAs.
At first though the proposed one year timeout can seem a little short given the impressive list of reported issues, but the conditions given for re-acceptance are strict enough that passing could only indicate a radical change in methodology, at which point it would only make good sense to consider a re-inclusion.
In fact if every CA could take a full code security audit and provide complete certificate transparency in the manner proposed, I think we would have reason to feel marginally safer on the Internet.
My hope would be that since this method of punishing seems to be liked by most and even feels "generous" to some, the browser vendors would more aggressively start handing out "1 year suspensions" for more and more CAs that are caught doing anything even remotely like this.
Then after a year or two, and after the CAs have learned that they need to take this stuff seriously, and yet some still get caught doing it, the browser vendors should increase the level of punishment, because those getting caught then wouldn't have much of an excuse anymore.
A clear and detailed report. The conclusion seems both transparent and fair. It would be very difficult for many customers of StartCom/WoSign if they were immediately revoked. Hopefully this news spreads far enough that the reputation of StartCom/WoSign will generally include this information.
I am saving this as a reference in the event I ever need to write a technical report. This style is so much easier to read than a typical "official" report from police, the FBI, or similar organizations.
I don't have any StartCom or WoSign certificates right now, but I did in the past. It was nice to be able to get a certificate that browsers accepted, without needing to pay for it. I'm glad the landscape has changed.
Auditors and ratings agencies and their ilk are a fundamentally broken service in our society. On the one hand they have to make money and on the other they have to be honest. The two are simply not compatible, seemingly. Eg: ratings agencies happily giving top tier ratings to mortgages back in pre 2008.
Mozilla and Chrome are killing StartCom. This is huge, isn't it? StartCom is one of the more popular CAs.
Later:
Additional fun fact: there's a decent-sized subthread on the mailing list in which it's strongly suggested that WoSign is itself quietly owned by Qihoo360, a much larger company --- somewhat like the Symantec of China.
Behaviours of StartCom and its owner WoSign that are against the accepted rules of the industry they work in, in industry for which trust if key, is killing StartCom.
Being popular does not give you the right to expect transgressions to be ignored.
I used to use StartCom and even recommend them (it was an inexpensive way to get wildcard and multi-domain certificates). Since LetsEncrypt they have far less relevance, and since recent behaviours I wouldn't trust them if they were still relevant to my needs. The one wildcard I still use (because lazy mainly) I paid for a new version of elsewhere, my other SSL needs LetsEncrypt does the job.
" 1) Are the first three shareholders listed in the attached file the
same companies as the "Qihoo 360 Software (Beijing) Co., Ltd.",
"Beijing Qifutong
Technology Co., Ltd.", and "Beijing Yuan Tu Technology Co., Ltd."
entities listed in Qihoo 360 SEC reports as VIEs or subsidiaries of
VIEs?
[Xiaosheng]: Yes, they are.
2) Does Qihoo 360, a Qihoo 360 subsidiary, a Qihoo 360 VIE, or a Qihoo
360 VIE subsidiary, or a combination of those own or control a
majority of shares in WoSign?
[Xiaosheng]: Yes, the combination of those own 84% of shares in Wosign."
They're not "killing" anyone. They have reasonable doubt that the CA has misrepresented the truth and engaged in practices that violate the rules set forth by the CAB and those for inclusion in the Mozilla trust store. There will have to be consequences for else it means nothing.
They're also very clear that they do not intend to invalidate any already issued certificates, only new ones after a specific, yet to be decided, date and that they remain open to re-inclusion after the year's time-out and passing the normal inclusion tests. However, they rightfully set forth a requirement for some audits to take place by Mozilla appointed parties. For this I'm particularly thankful as if the auditors are allowed to keep doing this kind of hodge-bodge botch job the already strained trust in CA's is further weakened.
A huge factor in their popularity is their free certificate, and now Let’s Encrypt is operational. StartCom’s free certificate always seemed like a gateway to their paid offerings, because it is so limited and awkward to use. The Let’s Encrypt product is better.
Well shit. I always liked StarCom because of their approach to charge for verification (with increasing costs for each higher trust level) but not for issuing certs (while still manually checking every cert request, at least for any OV&EV cert in my case).
This entire WoSign acquisition is incredibly shady. Shortly after that some of the customer reps had chinese names, service quality declined and we got offered to become an "Intermediate CA" (StartPKI) for 10k$/yr.
What is the best alternative CA that also offers wildcard certificates (preferably with a similar business model)?
What would being an "Intermediate CA" actually mean in practise?
Am I right in thinking I could generate my own certificates for any domain I wanted and have them validate in any browsers or devices that currently trust StartSSL/WoSign? Or to put it another way, would it give me the same powers as running my own internal CA but without the problem of convincing people to install my root-ca?
I assume it _can't_ mean that, otherwise people would surely be up in arms (10k to mitm anyone is scarily cheap), so could someone educate me please?
What use case do you have for wildcards that you can't use Let's Encrypt or similar automated issuance? Just curious, as I've yet to hear a terribly compelling one...
I'm not going to defend WoSign/StartCom's shady tactics, but the way the deprecation of SHA1 was performed puts people in a pretty shitty position.
You can't support Windows XP users who use IE anymore with HTTPs.
In the western world, that number is very small. It's around 1% still using XP and most of those people are probably not using IE anymore.
In china though, that number is still >5%, and I got that number personally from the metrics of a game that we just deployed an alpha for in China. I would bet that given the way the alpha test keys were handed out that the amount of Windows XP users in the general population is probably much much higher.
So what is the response if you can't support a significant portion of your user base? Well for a bunch of chinese websites the result is don't use HTTPS at all. We have seen advice that "HTTPS cases problems for users in China so we think it's a bad idea to use it". It's not a good situation.
>You can't support Windows XP users who use IE anymore with HTTPs.
Not correct; you can't support Windows XP users who have not updated to SP3 yet.
(Typically a pirated version which has all updates disabled...SP3 has been available since May 6, 2008)
> You can't support Windows XP users who use IE anymore with HTTPs.
Sure you can. Just ask a CA that has an old root trusted by XP but no longer trusted by modern browsers, and they'll issue a SHA-1 cert for you without risking to get kicked out of the truststores.
Now that StartSSL is effectively deceased, is there a commercial CA that supports the ACME protocol? Or is the ACME protocol a vanity project unique to Let's Encrypt?
I manage several dozen certificates; I was very pleased when StartSSL offered an automated API to work with. Despite their flaws, they offered EV certs, wildcards, and automated one-shots, and it was very convenient.
I'd gladly pay for this functionality, preferably while supporting standards-based ACME functionality... but so far it seems Let's Encrypt is the only one playing that game, and their featureset is crap for anything but their very narrow use case.
This is a very detailed investigation - the parts that appear to be new are the specific serial number patterns, the times/dates of manual issuance, and the case of the Tyro SHA-1 cert.
It's a little unfortunate that Mozilla's option here is to rely on WoSign and StartCom continuing to be honest about notBefore, or really, on Google detecting further abuse of notBefore via Certificate Transparency. Mozilla should really be participating in CT themselves so they have more options here. Is there anything the community can do to help (e.g., run more log servers)?
Do people use S/MIME with the standard (web-based) trust stores? If you're using it with a small group of people you're in communication with, you can always generate your own CA pretty easily with the openssl command.
(Except for the part about the openssl command, this is what Exchange does: everyone joined to an Active Directory domain gets config from the AD servers, so AD generates its own CA for S/MIME certs and tells its users about it.)
I'd be interested to know what the plans are from other vendors (Microsoft, Google, Apple, ...); can we expect them to follow Mozilla's lead in taking action against WoSign?
CA root lists are generally maintained on an OS level (Oracle does maintain a separate root list for Java). Linux doesn't really have a central CA, so in practice, the root certificate list for all of Linux usually comes from Mozilla.
Mozilla's CA policy is the only major policy where almost all discussion is public (indeed, its policy requires a public commentary period), so its decision is the most visible by far. Given that the major list vendors already collaborate in the CAB forum, it's likely that MS and Apple will follow the Mozilla/Google lead here. The prior Diginotar and Comodo scenarios involved all the vendors operating in tandem.
Considering I believe one of the writers of this was from Google, I guess we can assume they'll likely follow?
With both Chrome and Firefox no longer allowing certificates from them we can expect customers to no longer buy from them which will result in no more certificates even if Apple/Microsoft don't follow.
When the story first broke, I manually untrusted WoSign's and StartCom's root certificates in OS X, instead of deleting them outright...at least I thought I did. I upgraded to macOS 10.12 Sierra this past weekend, and repeated the process. Except WoSign's certificates aren't there to begin with, though StartCom's still are. So perhaps Apple had dropped WoSign already? Would anyone else running 10.12 verify?
> Taking into account all the issues listed above, Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA. Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands.
I recommend reading the whole thing if you have time. They used some shady tactics.
How many companies can survive a year without revenue? None I've ever worked at. Not only that, but their readmission after that year is uncertain! Mozilla gets to pick an auditor (raises hand! pick me!) that gets full access to their code. This is, I think, a higher bar than a new CA would have to clear.
StartCom is a popular CA. Distrusting previously-issued certificates would be extremely disruptive. Moreover, it would primarily punish StartCom's customers, and not WoSign, which as a business is primarily concerned with forward revenue.
You see this as leniency, but I see it as a powerful step forward. The browsers and CAs had previously been locked in a Mexican Standoff, with abusive CAs fully aware of the leverage their userbases offered them.
With a caveat, which sends a pretty strong and clear message:
> We plan to distrust only newly-issued certificates to try and reduce the impact on web users [..] Our proposal is that we determine “newly issued” by examining the notBefore date [...] therefore WoSign/StartCom could back-date certificates to get around this restriction. And there is, as we have explained, evidence that they have done this in the past. [...] if such additional back-dating is discovered (by any means), Mozilla will immediately and permanently revoke trust in all WoSign and StartCom roots.
To the other observations, I'd also observe that in a world of corporate entities, there isn't a meaningful way to permanently eliminate a CA. Bad actors can always dissolve the old entity, form a new one with the same policies and any of the same people you'd like, and do the same thing. Banning the existing corporation for a year is about all you can do; the more time that goes by the fuzzier it becomes as to what exactly that "entity" is.
By far the more important element here is not that the specific corporate entity gets nuked, but that it be demonstrated to all and sundry that the CA standards have teeth. That is what will keep the bad actors from "just" doing anything to get around the problem, not psychologically-appealing vengeance.
Given WoSign's history of backdating SHA-1 certificates in violation of Mozilla's rules, I wouldn't be too surprised if they reuse that practice to get around the 1 year ban, at which point Mozilla will have to consider permanently distrusting them.
It's generous to the customers who currently have existing, valid WoSign or StartCom certificates. It's not very generous to WoSign or StartCom as continuing profitable businesses, because if I were paying either of these companies for certificates, I'd be looking for someone else to pay when it comes time to renew. This is exactly what you want.
I think this is very well handled on the part of Mozilla, especially with respect to existing customers.
What's missing, which admittedly is not Mozilla's job, is to inform any existing customers that will have to renew during the time WoSign and StartCom are suspended. If they just get an invoice and pay it or are set-up with auto-renew, they'll unknowingly get certificates that aren't valid for the remainder of the suspension (or indefinitely, if WoSign/StartCom if violates Mozilla's requirements).
Wow, this would be devastating if they actually went through with revoking their root certificate.
StartCom is (well, was) the only competition to Let's Encrypt in the free certificate space. It is far and away the cheapest direct provider of wildcard certificates (which are impossible to get for free), unless you move into reseller territory. And even their free certificates last four times as long, and don't require the use of certbot.
Certainly, Let's Encrypt works great for a lot of peoples' needs. But for those it doesn't (and there's more of them than you might think), this is seriously bad news.
It's easy to get onboard wanting to punish WoSign/StartCom here, but keep in mind that this has the potential to screw over all of their innocent customers as well. (Future customers with the first action; all customers if the second action comes to pass and they revoke the root CA.) And screwing them could likely mean they abandon HTTPS completely instead.
Note that I am not advocating for Mozilla to give them a pass; far from it. If anything, this is just one more indictment on the long list of reasons why the entire CA system is completely broken.
I actually just recently purchased a certificate, and had my choices narrowed down to StartSSL or AlphaSSL. I am really glad I went with the latter right about now. I can't tell you how absolutely livid I would become if Mozilla ended up revoking my root CA after dropping over $100 on my certificate.
Completely and utterly fail your job, lie about it and use deceiving tactics?
And all they are getting is a 1 year suspension and none of the certificates are becoming untrusted. The auditors got a bigger punishment by being banned completely from Mozilla's trusted auditors.
Should just revoke them completely. Such incompetence and/or malice should not be allowed on such a crucial piece of infrastructure.
I think Mozilla is falling for Symantecs / other CAs propaganda here. Yes, WoSign did bad things, but those are by far not the worst things we've seen in CA wrongdoings in the last years.
We've seen certs issued for MITM attacks and security holes in the validation process of nearly every CA. (http://www.theregister.co.uk/2012/02/14/trustwave_analysis/) < they confessed issuing a cert for MITM purpose and are still part of the game.
The allegations mainly consist of:
a) WoSign didn't make transparent that they have control over StartCom. Yes, this is a thing and it should be discussed. But the main focus of this is obviously to get StartCom into this story. Where - as I understood it - there is no allegation, that StartCom itself did something wrong. At least not in the league of "we should kill that company". Transparency is important and we should fight for it. Not only in China.
b) They backdated SHA-1 certs. Obviously because not updated Windows XP machines are a thing in China. This is against code of conduct. This is bad, but I totally get the intention here. And the intention is not MITM attacks or worse (as we see a lot in CA business) the intention is not to break Chinese internet.
Bottom line:
"Let's encrypt" is destroying the business of many shady CAs these days. Competition is getting harder. StartCom had an advance in this race as they adopted quickly to the new rules and the've build the best product in the market for special use cases. We - for example - rely on a lot of wildcard certs for many domains. StartCom had the product. We pay'd them $200 for all our certs and the next cheapest competitor wanted $150.000 / year for our certs. I totally get why they are getting attacked by the big players. I totally don't get why Mozilla is falling for this.
There were a number of other issues that came up during this investigation that showed that they should not be running a CA[1]. For example, they issued certificates to anyone able to control a unprivileged port (> 1024) behind a domain. They issued certificates for "root domains" to anyone able to verify control of a subdomain. When StartCom launched their issuance API, it was taken down within a matter of days due to some pretty obvious holes.
The biggest problem with the SHA-1 issuance is that they - as the report shows - blatantly lied about how this played out during the investigation and did not even attempt to go through the proper channels to get an exception from browser vendors (which other CAs did). Additionally, issuing a SHA-1 certificate to a payment processor that failed to upgrade their systems in time cannot be explained by China having a large number of XP <= SP2 users. That's just an excuse.
Regarding the TrustWave incident a few years back, it's important to understand that this happened when the rules for CAs were not quite as clear as they are now. I think this happened just around the time when the Baseline Requirements were written and were not yet in effect, and various browser policies were not as clear as they could've been about this use-case. Four years later, I have no doubts that a CA who'd give out the private key of a non-constrained CA certificate to a non-audited third-party would lose their trust status within a matter of days.
As someone who's using StartCom for several years I'm really anxious now. I may use Let's Encrypt for a few sites but not for all and I also got my email certificates from StartCom.
As far as I know there's no suitable alternative that does not cost $500+ per year, or does anyone have an advice for me?
I hate to say it, but if you need the functionality that Let's Encrypt won't offer (wildcard certificates, longer validity lengths, not wanting/needing to run certbot, code signing, etc) ... your best bet is to look for the SSL resellers.
I'm not going to name the one I used (as I'm not marketing for them), but I purchased a three-year AlphaSSL wildcard certificate recently for a little over $110 (for all three years, so less than $40/yr.)
It ... absolutely defies common sense that certificate resellers are a thing; but indeed it's the very same certificate I'd have gotten had I paid $150/yr on AlphaSSL's site.
The CA model is just completely broken. But right now, our only choice is to find the lowest amount of money to be taken for if we want full HTTPS functionality. And at the moment, that's with the resellers :/
[+] [-] tux3|9 years ago|reply
I'm very happy to see the way Mozilla handled this incident, both with the process and the conclusion. I have a moderate trust in the CA ecosystem as a whole, but I'm glad to see that overwhelming incompetence, if not outright maliciousness, does have consequences even to big CAs.
At first though the proposed one year timeout can seem a little short given the impressive list of reported issues, but the conditions given for re-acceptance are strict enough that passing could only indicate a radical change in methodology, at which point it would only make good sense to consider a re-inclusion.
In fact if every CA could take a full code security audit and provide complete certificate transparency in the manner proposed, I think we would have reason to feel marginally safer on the Internet.
[+] [-] mtgx|9 years ago|reply
Then after a year or two, and after the CAs have learned that they need to take this stuff seriously, and yet some still get caught doing it, the browser vendors should increase the level of punishment, because those getting caught then wouldn't have much of an excuse anymore.
[+] [-] vtlynch|9 years ago|reply
Given the risks that screwups have to their business, I would think CAs would VOLUNTARILY do this.
[+] [-] no_protocol|9 years ago|reply
I am saving this as a reference in the event I ever need to write a technical report. This style is so much easier to read than a typical "official" report from police, the FBI, or similar organizations.
I don't have any StartCom or WoSign certificates right now, but I did in the past. It was nice to be able to get a certificate that browsers accepted, without needing to pay for it. I'm glad the landscape has changed.
[+] [-] TorKlingberg|9 years ago|reply
[+] [-] koolba|9 years ago|reply
> In addition, Mozilla will:
> add all of the Macau certificates to OneCRL immediately;
> and no longer accept audits carried out by Ernst & Young (Hong Kong).
If you don't hold the auditors responsible, this will happen again. If you do hold the auditors responsible, you might prevent some of this.
[+] [-] pquerna|9 years ago|reply
> no longer accept audits carried out by Ernst & Young (Hong Kong).
To reject audits from E&Y.... It makes me wonder about the transparency and trust we put in the auditors as being a key part of CA validation process.
[+] [-] chillydawg|9 years ago|reply
[+] [-] tomjen3|9 years ago|reply
[deleted]
[+] [-] tptacek|9 years ago|reply
Later:
Additional fun fact: there's a decent-sized subthread on the mailing list in which it's strongly suggested that WoSign is itself quietly owned by Qihoo360, a much larger company --- somewhat like the Symantec of China.
More specifically:
https://twitter.com/pzb/status/780456712562024448
[+] [-] dspillett|9 years ago|reply
Being popular does not give you the right to expect transgressions to be ignored.
I used to use StartCom and even recommend them (it was an inexpensive way to get wildcard and multi-domain certificates). Since LetsEncrypt they have far less relevance, and since recent behaviours I wouldn't trust them if they were still relevant to my needs. The one wildcard I still use (because lazy mainly) I paid for a new version of elsewhere, my other SSL needs LetsEncrypt does the job.
[+] [-] phonon|9 years ago|reply
https://groups.google.com/d/msg/mozilla.dev.security.policy/...
" 1) Are the first three shareholders listed in the attached file the same companies as the "Qihoo 360 Software (Beijing) Co., Ltd.", "Beijing Qifutong Technology Co., Ltd.", and "Beijing Yuan Tu Technology Co., Ltd." entities listed in Qihoo 360 SEC reports as VIEs or subsidiaries of VIEs? [Xiaosheng]: Yes, they are.
2) Does Qihoo 360, a Qihoo 360 subsidiary, a Qihoo 360 VIE, or a Qihoo 360 VIE subsidiary, or a combination of those own or control a majority of shares in WoSign? [Xiaosheng]: Yes, the combination of those own 84% of shares in Wosign."
[+] [-] daenney|9 years ago|reply
They're also very clear that they do not intend to invalidate any already issued certificates, only new ones after a specific, yet to be decided, date and that they remain open to re-inclusion after the year's time-out and passing the normal inclusion tests. However, they rightfully set forth a requirement for some audits to take place by Mozilla appointed parties. For this I'm particularly thankful as if the auditors are allowed to keep doing this kind of hodge-bodge botch job the already strained trust in CA's is further weakened.
[+] [-] ryan-c|9 years ago|reply
[+] [-] Decade|9 years ago|reply
[+] [-] ylere|9 years ago|reply
What is the best alternative CA that also offers wildcard certificates (preferably with a similar business model)?
[+] [-] BuildTheRobots|9 years ago|reply
Am I right in thinking I could generate my own certificates for any domain I wanted and have them validate in any browsers or devices that currently trust StartSSL/WoSign? Or to put it another way, would it give me the same powers as running my own internal CA but without the problem of convincing people to install my root-ca?
I assume it _can't_ mean that, otherwise people would surely be up in arms (10k to mitm anyone is scarily cheap), so could someone educate me please?
[+] [-] finnn|9 years ago|reply
[+] [-] Negitivefrags|9 years ago|reply
You can't support Windows XP users who use IE anymore with HTTPs.
In the western world, that number is very small. It's around 1% still using XP and most of those people are probably not using IE anymore.
In china though, that number is still >5%, and I got that number personally from the metrics of a game that we just deployed an alpha for in China. I would bet that given the way the alpha test keys were handed out that the amount of Windows XP users in the general population is probably much much higher.
So what is the response if you can't support a significant portion of your user base? Well for a bunch of chinese websites the result is don't use HTTPS at all. We have seen advice that "HTTPS cases problems for users in China so we think it's a bad idea to use it". It's not a good situation.
[+] [-] phonon|9 years ago|reply
Not correct; you can't support Windows XP users who have not updated to SP3 yet. (Typically a pirated version which has all updates disabled...SP3 has been available since May 6, 2008)
[+] [-] dragonwriter|9 years ago|reply
Supporting Windows XP IE users' delusions of security is, arguably, not a desirable thing.
[+] [-] jvehent|9 years ago|reply
Sure you can. Just ask a CA that has an old root trusted by XP but no longer trusted by modern browsers, and they'll issue a SHA-1 cert for you without risking to get kicked out of the truststores.
[+] [-] stonogo|9 years ago|reply
I manage several dozen certificates; I was very pleased when StartSSL offered an automated API to work with. Despite their flaws, they offered EV certs, wildcards, and automated one-shots, and it was very convenient.
I'd gladly pay for this functionality, preferably while supporting standards-based ACME functionality... but so far it seems Let's Encrypt is the only one playing that game, and their featureset is crap for anything but their very narrow use case.
Any advice, HN?
[+] [-] agwa|9 years ago|reply
Our API predates ACME, but we'll most likely be implementing ACME once it's finalized.
[+] [-] geofft|9 years ago|reply
It's a little unfortunate that Mozilla's option here is to rely on WoSign and StartCom continuing to be honest about notBefore, or really, on Google detecting further abuse of notBefore via Certificate Transparency. Mozilla should really be participating in CT themselves so they have more options here. Is there anything the community can do to help (e.g., run more log servers)?
[+] [-] shawkinaw|9 years ago|reply
So people, is there a comparable free product out there (don't say LetsEncrypt, they don't do S/MIME unless I'm mistaken)?
[+] [-] tptacek|9 years ago|reply
You can still get free S/MIME certs from Comodo.
[+] [-] geofft|9 years ago|reply
(Except for the part about the openssl command, this is what Exchange does: everyone joined to an Active Directory domain gets config from the AD servers, so AD generates its own CA for S/MIME certs and tells its users about it.)
[+] [-] nandhp|9 years ago|reply
[+] [-] jcranmer|9 years ago|reply
Mozilla's CA policy is the only major policy where almost all discussion is public (indeed, its policy requires a public commentary period), so its decision is the most visible by far. Given that the major list vendors already collaborate in the CAB forum, it's likely that MS and Apple will follow the Mozilla/Google lead here. The prior Diginotar and Comodo scenarios involved all the vendors operating in tandem.
[+] [-] popey456963|9 years ago|reply
With both Chrome and Firefox no longer allowing certificates from them we can expect customers to no longer buy from them which will result in no more certificates even if Apple/Microsoft don't follow.
[+] [-] RJIb8RBYxzAMX9u|9 years ago|reply
[+] [-] driverdan|9 years ago|reply
> Taking into account all the issues listed above, Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA. Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands.
I recommend reading the whole thing if you have time. They used some shady tactics.
[+] [-] hart_russell|9 years ago|reply
Sounds very generous to me.
[+] [-] tptacek|9 years ago|reply
StartCom is a popular CA. Distrusting previously-issued certificates would be extremely disruptive. Moreover, it would primarily punish StartCom's customers, and not WoSign, which as a business is primarily concerned with forward revenue.
You see this as leniency, but I see it as a powerful step forward. The browsers and CAs had previously been locked in a Mexican Standoff, with abusive CAs fully aware of the leverage their userbases offered them.
[+] [-] TorKlingberg|9 years ago|reply
[+] [-] gregmac|9 years ago|reply
> We plan to distrust only newly-issued certificates to try and reduce the impact on web users [..] Our proposal is that we determine “newly issued” by examining the notBefore date [...] therefore WoSign/StartCom could back-date certificates to get around this restriction. And there is, as we have explained, evidence that they have done this in the past. [...] if such additional back-dating is discovered (by any means), Mozilla will immediately and permanently revoke trust in all WoSign and StartCom roots.
[+] [-] throwawayReply|9 years ago|reply
It's more lenient than some might want, but it avoids the decision being controversial and perhaps lessens the chance that it is seriously challenged.
[+] [-] jerf|9 years ago|reply
By far the more important element here is not that the specific corporate entity gets nuked, but that it be demonstrated to all and sundry that the CA standards have teeth. That is what will keep the bad actors from "just" doing anything to get around the problem, not psychologically-appealing vengeance.
[+] [-] hayleox|9 years ago|reply
[+] [-] geofft|9 years ago|reply
[+] [-] gregmac|9 years ago|reply
What's missing, which admittedly is not Mozilla's job, is to inform any existing customers that will have to renew during the time WoSign and StartCom are suspended. If they just get an invoice and pay it or are set-up with auto-renew, they'll unknowingly get certificates that aren't valid for the remainder of the suspension (or indefinitely, if WoSign/StartCom if violates Mozilla's requirements).
[+] [-] byuu|9 years ago|reply
StartCom is (well, was) the only competition to Let's Encrypt in the free certificate space. It is far and away the cheapest direct provider of wildcard certificates (which are impossible to get for free), unless you move into reseller territory. And even their free certificates last four times as long, and don't require the use of certbot.
Certainly, Let's Encrypt works great for a lot of peoples' needs. But for those it doesn't (and there's more of them than you might think), this is seriously bad news.
It's easy to get onboard wanting to punish WoSign/StartCom here, but keep in mind that this has the potential to screw over all of their innocent customers as well. (Future customers with the first action; all customers if the second action comes to pass and they revoke the root CA.) And screwing them could likely mean they abandon HTTPS completely instead.
Note that I am not advocating for Mozilla to give them a pass; far from it. If anything, this is just one more indictment on the long list of reasons why the entire CA system is completely broken.
I actually just recently purchased a certificate, and had my choices narrowed down to StartSSL or AlphaSSL. I am really glad I went with the latter right about now. I can't tell you how absolutely livid I would become if Mozilla ended up revoking my root CA after dropping over $100 on my certificate.
[+] [-] joseignaciorc|9 years ago|reply
Shouldn't it be under the mozilla.org domain?
[+] [-] Angostura|9 years ago|reply
[+] [-] crazypyro|9 years ago|reply
And all they are getting is a 1 year suspension and none of the certificates are becoming untrusted. The auditors got a bigger punishment by being banned completely from Mozilla's trusted auditors.
Should just revoke them completely. Such incompetence and/or malice should not be allowed on such a crucial piece of infrastructure.
[+] [-] lionradio|9 years ago|reply
Bottom line: "Let's encrypt" is destroying the business of many shady CAs these days. Competition is getting harder. StartCom had an advance in this race as they adopted quickly to the new rules and the've build the best product in the market for special use cases. We - for example - rely on a lot of wildcard certs for many domains. StartCom had the product. We pay'd them $200 for all our certs and the next cheapest competitor wanted $150.000 / year for our certs. I totally get why they are getting attacked by the big players. I totally don't get why Mozilla is falling for this.
[+] [-] pfg|9 years ago|reply
The biggest problem with the SHA-1 issuance is that they - as the report shows - blatantly lied about how this played out during the investigation and did not even attempt to go through the proper channels to get an exception from browser vendors (which other CAs did). Additionally, issuing a SHA-1 certificate to a payment processor that failed to upgrade their systems in time cannot be explained by China having a large number of XP <= SP2 users. That's just an excuse.
Regarding the TrustWave incident a few years back, it's important to understand that this happened when the rules for CAs were not quite as clear as they are now. I think this happened just around the time when the Baseline Requirements were written and were not yet in effect, and various browser policies were not as clear as they could've been about this use-case. Four years later, I have no doubts that a CA who'd give out the private key of a non-constrained CA certificate to a non-audited third-party would lose their trust status within a matter of days.
[1]: https://wiki.mozilla.org/CA:WoSign_Issues
[+] [-] Kovah|9 years ago|reply
[+] [-] byuu|9 years ago|reply
I'm not going to name the one I used (as I'm not marketing for them), but I purchased a three-year AlphaSSL wildcard certificate recently for a little over $110 (for all three years, so less than $40/yr.)
It ... absolutely defies common sense that certificate resellers are a thing; but indeed it's the very same certificate I'd have gotten had I paid $150/yr on AlphaSSL's site.
The CA model is just completely broken. But right now, our only choice is to find the lowest amount of money to be taken for if we want full HTTPS functionality. And at the moment, that's with the resellers :/