Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
RE: Yes, we are improved
302 views
Skip to first unread message
Richard Wang
Sep 1, 2016, 9:35:54 PM9/1/16
to mozilla-dev-s...@lists.mozilla.org
We can separate the 2015 incident from 2016, and separate report incident from un-reported, then all clear:
In 2015 reported:
Incident -2: 16 January 2015 - 5 March 2015 - 1,132 BR-violating SHA-1 certificates
Incident X: April 9 - April 14, 2015 - 392 duplicate serial numbers
In 2015 un-reported:
Incident -1: April 4, 2015 - WoSign is informed it's routinely violating its CPS for issued certificates.
Incident 0: April 23, 2015 - 72 potentially dangerous port-validated certificates
Incident 1: June, 2015 - 33 unvalidated base-domain from sub-domain certificates
In 2016 un-reported:
Incident 2: July, 2016 - At least 1 backdated SHA-1 certificate
We give Google detail information after receiving your email instantly, and we also replied Mozilla email instantly that all details are reported to Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1293366
I said " Yes, we are improved", you can see from the timeline that from June 2015 to July 2016, over one-year period that we don't have any incident, this means we fixed system bug in time and do more validation and check, we blocked many illegal order for famous domains.
Best Regards,
Richard
-----Original Message-----
From: Ryan Sleevi [mailto:ry...@sleevi.com]
Sent: Friday, September 2, 2016 12:01 AM
To: Richard Wang <ric...@wosign.com<mailto:ric...@wosign.com>>
Cc: mozilla-dev-s...@lists.mozilla.org<mailto:mozilla-dev-s...@lists.mozilla.org>
Subject: Re: Incidents involving the CA WoSign
On Wed, August 31, 2016 10:09 pm, Richard Wang wrote:
> Thanks for your so detail instruction.
> Yes, we are improved. The two case is happened in 2015 and the
> mis-issued certificate period is only 5 months that we fixed 3 big
> bugs during the 5 months.
> For CT, we will improve the posting system.
I had a little trouble parsing this, but let's make sure we're on the same page. I've continued Gerv's original numbering:
Incident -2: 16 January 2015 - 5 March 2015 - 1,132 BR-violating SHA-1 certificates ( https://cert.webtrust.org/SealFile?seal=2019&file=pdf )
Incident -1: April 4, 2015 - WoSign is informed it's routinely violating its CPS for issued certificates ( https://www.wosign.com/policy/wosign-policy-1-2-10.pdf )
Incident X: April 9 - April 14, 2015 - 392 duplicate serial numbers
Incident 0: April 23, 2015 - 72 potentially dangerous port-validated certificates
Incident 1: June, 2015 - 33 unvalidated base-domain from sub-domain certificates
Incident 2: July, 2016 - At least 1 backdated SHA-1 certificate (was this the only one? I wasn't clear from https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/gksYkOTLCwAJ
)
Just making sure we're in agreement about the facts and timelines surrounding these, so that it's easier than debating 2 or 3 or 5 or more.
In 2015 reported:
Incident -2: 16 January 2015 - 5 March 2015 - 1,132 BR-violating SHA-1 certificates
Incident X: April 9 - April 14, 2015 - 392 duplicate serial numbers
In 2015 un-reported:
Incident -1: April 4, 2015 - WoSign is informed it's routinely violating its CPS for issued certificates.
Incident 0: April 23, 2015 - 72 potentially dangerous port-validated certificates
Incident 1: June, 2015 - 33 unvalidated base-domain from sub-domain certificates
In 2016 un-reported:
Incident 2: July, 2016 - At least 1 backdated SHA-1 certificate
We give Google detail information after receiving your email instantly, and we also replied Mozilla email instantly that all details are reported to Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1293366
I said " Yes, we are improved", you can see from the timeline that from June 2015 to July 2016, over one-year period that we don't have any incident, this means we fixed system bug in time and do more validation and check, we blocked many illegal order for famous domains.
Best Regards,
Richard
-----Original Message-----
From: Ryan Sleevi [mailto:ry...@sleevi.com]
Sent: Friday, September 2, 2016 12:01 AM
To: Richard Wang <ric...@wosign.com<mailto:ric...@wosign.com>>
Cc: mozilla-dev-s...@lists.mozilla.org<mailto:mozilla-dev-s...@lists.mozilla.org>
Subject: Re: Incidents involving the CA WoSign
On Wed, August 31, 2016 10:09 pm, Richard Wang wrote:
> Thanks for your so detail instruction.
> Yes, we are improved. The two case is happened in 2015 and the
> mis-issued certificate period is only 5 months that we fixed 3 big
> bugs during the 5 months.
> For CT, we will improve the posting system.
I had a little trouble parsing this, but let's make sure we're on the same page. I've continued Gerv's original numbering:
Incident -2: 16 January 2015 - 5 March 2015 - 1,132 BR-violating SHA-1 certificates ( https://cert.webtrust.org/SealFile?seal=2019&file=pdf )
Incident -1: April 4, 2015 - WoSign is informed it's routinely violating its CPS for issued certificates ( https://www.wosign.com/policy/wosign-policy-1-2-10.pdf )
Incident X: April 9 - April 14, 2015 - 392 duplicate serial numbers
Incident 0: April 23, 2015 - 72 potentially dangerous port-validated certificates
Incident 1: June, 2015 - 33 unvalidated base-domain from sub-domain certificates
Incident 2: July, 2016 - At least 1 backdated SHA-1 certificate (was this the only one? I wasn't clear from https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/gksYkOTLCwAJ
)
Just making sure we're in agreement about the facts and timelines surrounding these, so that it's easier than debating 2 or 3 or 5 or more.
Ryan Sleevi
Sep 1, 2016, 9:49:12 PM9/1/16
to mozilla-dev-s...@lists.mozilla.org
On Thursday, September 1, 2016 at 6:35:54 PM UTC-7, Richard Wang wrote:
> I said " Yes, we are improved", you can see from the timeline that from June 2015 to July 2016, over one-year period that we don't have any incident, this means we fixed system bug in time and do more validation and check, we blocked many illegal order for famous domains.
Mere minutes before you posted this message, you acknowledged in https://groups.google.com/d/msg/mozilla.dev.security.policy/Q3zjv95VhXI/p40n2Zv6DAAJ that this certificate was misissued: https://crt.sh/?id=29884704
> I said " Yes, we are improved", you can see from the timeline that from June 2015 to July 2016, over one-year period that we don't have any incident, this means we fixed system bug in time and do more validation and check, we blocked many illegal order for famous domains.
If we trust your dates are correct with notBefore, then this was issued June 23, 2016. Clearly, this shows an issue, the fullness of which, I'll reply on that thread.
Richard Wang
Sep 1, 2016, 10:06:42 PM9/1/16
to Ryan Sleevi, mozilla-dev-s...@lists.mozilla.org
This is another case that he finished the website control validation.
We and Alibaba are investigating why he can do the website control validation.
The is the log, but we can't expose more now since it is related to Alibaba.
2016-06-23 01:34:39: WoSign validation system received domain "alicdn.com" website control request,the url is "http://alicdn.com/alicdn.com.html", v_random is 2e3baabe989fad9f143517796ed4941c13e7177b, Validation system used Get method, 400 error, then change to use POST method, success.
Best Regards,
Richard
-----Original Message-----
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
We and Alibaba are investigating why he can do the website control validation.
The is the log, but we can't expose more now since it is related to Alibaba.
2016-06-23 01:34:39: WoSign validation system received domain "alicdn.com" website control request,the url is "http://alicdn.com/alicdn.com.html", v_random is 2e3baabe989fad9f143517796ed4941c13e7177b, Validation system used Get method, 400 error, then change to use POST method, success.
Best Regards,
Richard
-----Original Message-----
From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosig...@lists.mozilla.org] On Behalf Of Ryan Sleevi
Sent: Friday, September 2, 2016 9:49 AM
To: mozilla-dev-s...@lists.mozilla.org
Subject: Re: Yes, we are improved
On Thursday, September 1, 2016 at 6:35:54 PM UTC-7, Richard Wang wrote:
Sent: Friday, September 2, 2016 9:49 AM
To: mozilla-dev-s...@lists.mozilla.org
Subject: Re: Yes, we are improved
On Thursday, September 1, 2016 at 6:35:54 PM UTC-7, Richard Wang wrote:
> I said " Yes, we are improved", you can see from the timeline that from June 2015 to July 2016, over one-year period that we don't have any incident, this means we fixed system bug in time and do more validation and check, we blocked many illegal order for famous domains.
Mere minutes before you posted this message, you acknowledged in https://groups.google.com/d/msg/mozilla.dev.security.policy/Q3zjv95VhXI/p40n2Zv6DAAJ that this certificate was misissued: https://crt.sh/?id=29884704
If we trust your dates are correct with notBefore, then this was issued June 23, 2016. Clearly, this shows an issue, the fullness of which, I'll reply on that thread.
_______________________________________________
If we trust your dates are correct with notBefore, then this was issued June 23, 2016. Clearly, this shows an issue, the fullness of which, I'll reply on that thread.
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
0 new messages