| Incidents involving the CA WoSign | Gervase Markham | 24/08/16 06:09 | Dear m.d.s.policy,
Several incidents have come to our attention involving the CA "WoSign". Mozilla is considering what action it should take in response to these incidents. This email sets out our understanding of the situation. Before we begin, we note that Section 1 of the Mozilla CA Certificate Enforcement Policy[0] says: "When a serious security concern is noticed, such as a major root compromise, it should be treated as a security-sensitive bug, and the Mozilla Policy for Handling Security Bugs should be followed." It is clear to us, and appears to be clear to other CAs based on their actions, that misissuances where domain control checks have failed fall into the category of "serious security concern". Incident 0 ---------- On or around April 23rd, 2015, WoSign's certificate issuance system for their free certificates allowed the applicant to choose any port for validation. Once validation had been completed, WoSign would issue certificates for that domain. A researcher was able to obtain a certificate for a university by opening a high-numbered port (>50,000) and getting WoSign to use that port for validation of control. This problem was reported to Google, and thence to WoSign and resolved. Mozilla only became aware of it recently. * Before the recent passage of Ballot 169 in the CAB Forum, which limits the ports and paths which can be used, the Baseline Requirements said that one acceptable method of domain validation was "Having the Applicant demonstrate practical control over the FQDN by making an agreed‐upon change to information found on an online Web page identified by a uniform resource identifier containing the FQDN". This method therefore did not violate the letter of the BRs. However, Mozilla considers the basic security knowledge that ports over 1024 are unprivileged should have led all CAs not to accept validations of domain control on such ports, even when not documented in the BRs. * The misissuance incident was not reported to Mozilla by WoSign as it should have been (see above). * This misissuance incident did not turn up on WoSign's subsequent BR audit[1]. Incident 1 ---------- In June 2015, an applicant found a problem with WoSign's free certificate service, which allowed them to get a certificate for the base domain if they were able to prove control of a subdomain. The reporter proved the problem in two ways. They accidentally discovered it when trying to get a certificate for med.ucf.edu and mistakenly also applied for www.ucf.edu, which was approved. They then confirmed the problem by using their control of theiraccount.github.com/theiraccount.github.io to get a cert for github.com, github.io, and www.github.io. They reported this to WoSign, giving only the Github certificate as an example. That cert was revoked and the vulnerability was fixed. However recently, they got in touch with Google to note that the ucf.edu cert still had not been revoked almost a year later. * The lack of revocation of the ucf.edu certificate (still unrevoked at time of writing, although it may have been by time of posting) strongly suggests that WoSign either did not or could not search their issuance databases for other occurrences of the same problem. Mozilla considers such a search a basic part of the response to disclosure of a vulnerability which causes misissuance, and expects CAs to keep records detailed enough to make it possible. * This misissuance incident was not reported to Mozilla by WoSign as it should have been (see above). * This misissuance incident did not turn up on WoSign's subsequent BR audit[1]. Incident 2 ---------- In July 2016, it became clear that there was some problems with the StartEncrypt automatic issuance service recently deployed by the CA StartCom. As well as other problems it had, which are outside the scope of this discussion, changing a simple API parameter in the POST request on the submission page changed the root certificate to which the resulting certificate chained up. The value "2" made a certificate signed by "StartCom Class 1 DV Server CA", "1" selected "WoSign CA Free SSL Certificate G2" and "0" selected "CA 沃通根证书", another root certificate owned by WoSign and trusted by Firefox. Using the value "1" led to a certificate which had a notBefore date (usage start date) of 20th December 2015, and which was signed using the SHA-1 checksum algorithm. * The issuance of certificates using SHA-1 has been banned by the Baseline Requirements since January 1st, 2016. Browsers, including Firefox, planned to enforce this[2] by not trusting certs with a notBefore date after that date, but in the case of Firefox the fix had to be backed out due to web compatibility issues. However, we are considering how/when to reintroduce it, and CAs presumably know this. * The issuance of backdated certificates is not forbidden, but is listed in Mozilla's list of Problematic Practices[3]. It says "Minor tweaking for technical compatibility reasons is accepted, but backdating certificates in order to avoid some deadline or code-enforced restriction is not." * WoSign deny that their code backdated the certificates in order to avoid browser-based restrictions - they say "this date is the day we stop to use this code"[4]. If that is true, it is not clear to us how StartCom came to deploy WoSign code that WoSign itself had abandoned. * It seems clear from publicly available information that StartCom's issuance systems are linked to WoSign's issuance systems in some way. Nevertheless, it should not have been possible for an application for a cert from StartCom to produce a cert signed by WoSign. * This misissuance incident was not reported to Mozilla by WoSign as it should have been. Taking into account all these incidents and the actions of this CA, Mozilla is considering what action to take. Your input is welcomed. Gerv, Kathleen and Richard [0] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/enforcement/ [1] https://cert.webtrust.org/SealFile?seal=2019&file=pdf [2] https://bugzilla.mozilla.org/show_bug.cgi?id=942515 [3] https://wiki.mozilla.org/CA:Problematic_Practices#Backdating_the_notBefore_date [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1293366 |
| Re: Incidents involving the CA WoSign | Eric Mill | 24/08/16 09:09 | For the thread's reference, here's the crt.sh link for the misissued GitHub
certificate: https://crt.sh/?id=29647048 Valid for 3 years, for github.com. It's not in OneCRL, CRLset, or Microsoft's disallowedcert.stl. > _______________________________________________ > dev-security-policy mailing list > dev-secur...@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> |
| Re: Incidents involving the CA WoSign | Gervase Markham | 24/08/16 09:31 | Hi Jeremy,
On 24/08/16 17:12, Jeremy Rowley wrote: > On incident 0, its unclear whether a cert was actually mis-issued. > Although they used a higher level port, did the researcher > successfully bypass WoSign's domain validation process? Is the only > concern that WoSign permitted higher level ports? The result of the incident was that a certificate was issued to someone who did not, in the normally understood sense of the word, have control of the domain in question. Mozilla feels that even without a specific injunction in the BRs, CAs should have known that ports > 1024 are not privileged and not done control checks using them. The severity of the problem, of course, is a matter for discussion here. > On incident 2, it sounds like they are both using the same > auto-generation script. It seems like a bit more than that, doesn't it? Let's presume that WoSign did not ship a copy of their intermediate cert's private key to StartCom. Therefore, this cert must have been issued on the back end by some sort of WoSign system. So either WoSign's back-end issuing service has some form of authentication and the StartCom system had those credentials (why?), or the WoSign system does not have any form of authentication (concerning). > Giving WoSign the benefit of the doubt, it > sounds like maybe it was a bug in their software that permitted SHA1 > certs not an intentional back-dating issue. Is there any clarity > around how this worked? Perhaps WoSign would like to provide some :-) Gerv |
| Re: Incidents involving the CA WoSign | Peter Bowen | 24/08/16 09:44 | On Wed, Aug 24, 2016 at 9:30 AM, Gervase Markham <ge...@mozilla.org> wrote:I think you are missing the most likely option: CA hosting. My understanding is that it is not uncommon that one CA operator contracts with another CA operator to run a CA on behalf of the first operator. I don't think it has been clear what disclosure of this practice is required. Given that I believe this is widespread, I assumed that all of the issuing CAs in this case were operated by the same entity. Thanks, Peter |
| Re: Incidents involving the CA WoSign | Ryan Sleevi | 24/08/16 13:19 | On Wed, Aug 24, 2016 at 12:40 PM, Jeremy Rowley
<jeremy...@digicert.com> wrote: > However, the fact a researcher was able to obtain a cert without proper domain > validation is pretty serious. I'd like to hear more details about how this was > accomplished. Ports 8080 and 8443 aren't that uncommon so penalizing someone > merely for port use seems harsh when there wasn't a policy against it. There was no restriction on ports at all. Any client-specified port was accepted, and any HTTP-like response it gave back was accepted. |
| Re: Incidents involving the CA WoSign | s...@gmx.ch | 24/08/16 17:22 | Of course, adding the affected certs to OneCRL should be done immediately.
WoSign also has to be transparent about all (mis) issued certs in the past and have to provide this info in the future. If they can't, I think we may consider if the current certs that are valid for 3 years should be restricted to a shorter period. Regards, Jonas |
| RE: Incidents involving the CA WoSign | Richard Wang | 24/08/16 19:58 | this cert is revoked in the same once it is issued.
Thanks for posting to CT. Best Regards, Richard Valid for 3 years, for github.com<http://github.com>. It's not in OneCRL, CRLset, or Microsoft's disallowedcert.stl. discovered it when trying to get a certificate for med.ucf.edu<http://med.ucf.edu> and mistakenly also applied for www.ucf.edu<http://www.ucf.edu>, which was approved. They then confirmed the problem by using their control oftheiraccount.github.com/theiraccount.github.io<http://theiraccount.github.com/theiraccount.github.io> to get a cert for github.com<http://github.com>, github.io<http://github.io>, and www.github.io<http://www.github.io>. recently, they got in touch with Google to note that the ucf.edu<http://ucf.edu> cert still had not been revoked almost a year later.* The lack of revocation of the ucf.edu<http://ucf.edu> certificate (still unrevoked at Taking into account all these incidents and the actions of this CA, Gerv, Kathleen and Richarddev-secur...@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy -- konklone.com<https://konklone.com> | @konklone<https://twitter.com/konklone> |
| RE: Incidents involving the CA WoSign | Richard Wang | 24/08/16 20:40 | See below inline, thanks.
Best Regards, Richard -----Original Message----- From: Gervase Markham [mailto:ge...@mozilla.org] Sent: Thursday, August 25, 2016 12:31 AM To: Jeremy Rowley <jeremy...@digicert.com>; mozilla-dev-s...@lists.mozilla.org Cc: Richard Wang <ric...@wosign.com> Hi Jeremy,
> On incident 0, its unclear whether a cert was actually mis-issued.R: We got report from Google, but don’t tell me if any mis-issued certificate happen, just tell us to forbidden this high level port. We are searching our database to try to find if any mis-issued cert is issued. And will update to this mail list. R: NOT this case you think. Due to root inclusion problem, WoSign root is cross signed by StartCom since 2011. And we shared some facility with StartCom like CRL and OCSP distribution etc. But not this case, as I declared in the previous email, this is a API parameter option that can post data to any server located in any place. R: I think we said clearly in the related Bugzilla ☺ Gerv |
| RE: Incidents involving the CA WoSign | Richard Wang | 24/08/16 20:42 | Yes, correct.
Best Regards, From: Peter Bowen [mailto:pzb...@gmail.com] Cc: Jeremy Rowley <jeremy...@digicert.com>; mozilla-dev-s...@lists.mozilla.org; Richard Wang <ric...@wosign.com> On Wed, Aug 24, 2016 at 9:30 AM, Gervase Markham <ge...@mozilla.org> wrote: |
| RE: Incidents involving the CA WoSign | Richard Wang | 24/08/16 21:05 | We revoked this certificate, and we know this certificate is for test only.
For transparency, WoSign announced full transparency for all SSL certificate from July 5th that post all issued SSL certificate to Google log server, browsers can distrust WoSign issued SSL certificate after that day if no SCT embedded data in the certificate. And WoSign even plan to post the code signing certificate and client certificate to log server for full transparency for all certificates. See this news if you missed: https://www.wosign.com/english/News/2016_wosign_CT.htm. And we plan to setup an free alert service for worldwide users that if any SSL certificate for domain you care is issued from any CA, then you can get the alert email, this will benfit the ecosystem.
Of course, adding the affected certs to OneCRL should be done immediately. > For the thread's reference, here's the crt.sh link for the misissued> Valid for 3 years, for github.com. It's not in OneCRL, CRLset, or |
| Re: Incidents involving the CA WoSign | Matt Palmer | 24/08/16 23:48 | On Thu, Aug 25, 2016 at 04:03:04AM +0000, Richard Wang wrote:That would be slightly more reassuring if there wasn't a history of certs being issued with seemingly misleading notBefore values... Separately, do you have any thoughts on the reports that WoSign's BR auditor did not note any of the misissuances? Also, what changes, exactly, has WoSign implemented to its policies and procedures to ensure that all trust programs in which WoSign is a participant are notified of future incidents, in line with each program's requirements? - Matt -- "The user-friendly computer is a red herring. The user-friendliness of a book just makes it easier to turn pages. There's nothing user-friendly about learning to read." -- Alan Kay |
| RE: Incidents involving the CA WoSign | Richard Wang | 25/08/16 00:14 | Thanks for your friendly reminder.
We can post all 2015 issued SSL certificate to CT log server if necessary. For BR auditor, I think this issue is too technical that fewer auditor can find out this problem. We will add the quality control system to PKI system before issuing the certificate, and will check the crt.sh or use the CABF lint and X590 Lint to check the certificate before and after the certificate is issued to prevent such case, if such case happen, we will notify all browsers instantly.
_______________________________________________https://lists.mozilla.org/listinfo/dev-security-policy |
| Re: Incidents involving the CA WoSign | Ryan Sleevi | 25/08/16 12:09 | On Thursday, August 25, 2016 at 12:14:10 AM UTC-7, Richard Wang wrote:Is there any reason not to do that proactively? The audit letter included an attestation from Management that, during the time of the audit, management believed that the CA complied with the Baseline Requirements. Management was aware of non-compliance, by virtue of revocation and system and procedural changes to align with compliance. Thus, do you believe it was faithful and accurate for Management to warrant that the CA was operated in compliance with the BRs, given that Management was aware of incidents of non-compliance? |
| Re: Incidents involving the CA WoSign | Matt Palmer | 25/08/16 16:35 | On Thu, Aug 25, 2016 at 07:11:18AM +0000, Richard Wang wrote:That doesn't provide any assurance, in the face of misleading notBefore values in certificates. Without strong assurances that whatever failure of systems or processes allowed misleading notBefore values to end up in certificates has been corrected, the only way to be sure that there are no shenanigans going on is for *all* certificates issued by WoSign, *regardless* of their purported issuance date, to carry SCTs from a qualified log (or have them presented at TLS establishment), and have the "effective date" for the purposes of compliance with relevant standards and guidelines to be the date of the earliest SCT presented. This is because the notBefore value in the certificate, being produced by a flawed process which allows misleading values to be used, is useless for the purposes of determining when the certificate was *actually* issued. Any TLS connection using a WoSign-issued certificate which does not present SCTs would have to be considered completely untrustworthy. I believe Ryan has done an excellent job of outlining the concerns with this statement. This neither addresses the question I posed, nor does it contain sufficient specificity to be reassuring. I asked: I'm after the specifics of the changes to WoSign's policies and procedures regarding *notification*, not quality control. What were WoSign's previous policies and procedures regarding notification (obviously there was something in place, since Google was notified), and what changes have been made to improve those policies to ensure that all root programs are notified in line with each program's requirements in the future? - Matt -- I told [my daughter] that if I see her digging a hole that she might not be able to crawl out of, my job isn't to stand back and say "That's a *real* nice hole you're digging there". -- Paul Tomblin, ASR |
| Re: Incidents involving the CA WoSign | Ryan Sleevi | 25/08/16 17:16 | On Thursday, August 25, 2016 at 4:35:39 PM UTC-7, Matt Palmer wrote:Clarification: In none of these incidents was Google notified proactively by WoSign. Instead, Google received communication from internal or external researchers regarding these issues, either prior to resolution or much later after the fact, and subsequently contacted WoSign regarding them. It was only when Google found out recently that other programs were NOT notified, proactively, as had been expected, that Google shared the details it was aware of regarding various CA incidents, including those of WoSign, mentioned in this thread. |
| Re: Incidents involving the CA WoSign | Matt Palmer | 25/08/16 19:03 | On Thu, Aug 25, 2016 at 05:15:58PM -0700, Ryan Sleevi wrote:Oh, wow. I totally misread the initial report. That's almost certainly much *worse*, then, because it's not simply a matter of some adjustments to an existing process to improve it, but likely the development and deployment of an entirely new process. - Matt -- The main advantages of Haynes and Chilton manuals are that they cost $15, where the factory manuals cost $100 and up, and that they will tell you how to use two hammers, a block of wood, and a meerkat to replace "special tool no. 2-112-A" -- Matt Roberds in asr. |
| RE: Incidents involving the CA WoSign | Richard Wang | 25/08/16 20:05 | See below inline, thanks.
On Thursday, August 25, 2016 at 12:14:10 AM UTC-7, Richard Wang wrote: Is there any reason not to do that proactively?R: OK, we will post all 2015 issued SSL certificates to CT log server, but this take time since we issued 115K SSL certificate in 2015. Now we are posting the (1) using higher level port validated orders related to incident 0, total 72 certificates. To be clear, those certificates are validated by website control validation method that using other port except 80 and 443; (2) Mis-issued certificate with un-validated subdomain related to incident 1, total 33 certificates. I will list all crt.sh URL to this mail thread. Some certificates are revoked after getting report from subscriber, but some still valid, if any subscriber think it must be revoked and replaced new one, please contact us in the system, thanks.
The audit letter included an attestation from Management that, during the time of the audit, management believed that the CA complied with the Baseline Requirements.R: This is my fault that I think it is not serious enough to state in the assertion letter, now I know and every related employee know how to do this in the future. |
| RE: Incidents involving the CA WoSign | Richard Wang | 25/08/16 20:32 | See below inline, thanks
On Thu, Aug 25, 2016 at 07:11:18AM +0000, Richard Wang wrote: That doesn't provide any assurance, in the face of misleading notBefore values in certificates. Without strong assurances that whatever failure of systems or processes allowed misleading notBefore values to end up in certificates has been corrected, the only way to be sure that there are no shenanigans going on is for *all* certificates issued by WoSign,R: As I declared in the Bugzilla, only two certificate is the backdated certificate that not issued by normal system, it is a API bug that found and used by Computest to get the two backdates certificate, not WoSign normally issued this two cert. And this two test certificate are revoked after we got report, we stopped this API and delete the bug code. As we stated in WoSign website, browsers can distrust WoSign issued certificate after July 5th that no SCT embedded data, this is for full transparency.
I believe Ryan has done an excellent job of outlining the concerns with this statement.> participant are notified of future incidents, in line with each > program's requirements? R: Sorry, I don't say it clear, please forgive my bad English since my native language is Chinese. As I said this is my fault that we don't understand the Mozilla policy clearly that we don't think we need to report. But now we are clear that all mis-issued certificate case and any reported bug related system change also need to report. I and every related employee all clear now, then we can guarantee we will do it well in the future. Why we log all SSL certificate from July 5th is for full transparency to let all related parties can report to us in the first time after the certificate is issued.
|
| RE: Incidents involving the CA WoSign | Richard Wang | 25/08/16 20:35 | Yes, sorry for this.
As I admitted that this discussion gives us a big lesson that we know when we need to report incident to all browsers. We guarantee we will do it better.
On Thursday, August 25, 2016 at 4:35:39 PM UTC-7, Matt Palmer wrote: > I'm after the specifics of the changes to WoSign's policies and Clarification: In none of these incidents was Google notified proactively by WoSign. Instead, Google received communication from internal or external researchers regarding these issues, either prior to resolution or much later after the fact, and subsequently contacted WoSign regarding them. It was only when Google found out recently that other programs were NOT notified, proactively, as had been expected, that Google shared the details it was aware of regarding various CA incidents, including those of WoSign, mentioned in this thread. |
| RE: Incidents involving the CA WoSign | Richard Wang | 25/08/16 20:40 | We know how to do in the future, and believe me we will do this better.
On Thu, Aug 25, 2016 at 05:15:58PM -0700, Ryan Sleevi wrote: > On Thursday, August 25, 2016 at 4:35:39 PM UTC-7, Matt Palmer wrote: Oh, wow. I totally misread the initial report. That's almost certainly much *worse*, then, because it's not simply a matter of some adjustments to an existing process to improve it, but likely the development and deployment of an entirely new process. |
| Re: Incidents involving the CA WoSign | percy...@gmail.com | 26/08/16 01:05 | The news about possible sanction against WoSign was reported by Solidot http://www.solidot.org/story?sid=49448
(the Chinese version of Slashdot). Out of 12 comments in total (at the time of writing), 8 of them call for revocation of WoSign, the rest talks about the general bad security practices in China. A quick intro of myself. I'm Percy Alpha and I broke the news on GFW's MITM attack on iCloud, Outlook and Yahoo in 2014 and was later the victim of Great Cannon attack in 2015. |
| Re: Incidents involving the CA WoSign | Percy | 26/08/16 01:15 | In most Chinese institutions, most checks and verifications are just formality. Contracting to the case of CNNIC CA, I'm not advocating for an outright removal of WoSign (even though I revoked the CA personally). But the incorrect notBefore date suggests that a mandatory inclusion of CT of all certs ever issued is needed. Of course, WoSign needs to address other issues raised by Matt and Ryan in addition to the CT requirement.
|
| RE: Incidents involving the CA WoSign | Richard Wang | 26/08/16 01:26 | This is the standard way in China Internet, if a west company say something to China company, all will support the west company.
PLEASE don’t move this technical problem to political issue, thanks.
|
| Re: Incidents involving the CA WoSign | 233sec Team | 26/08/16 12:57 | Wosign's Issue mechanism is high risking for large enterprise.
This is one prove: https://gist.github.com/xiaohuilam/8589f2dfaac435bae4bf8dfe0984f69e Alicdn.com is the cdn asset domain name of Taobao/tmall who belong to alibaba, which are Chinese biggest online shopping websites. With the fake cert's middle man attack, password stealing, information leaking... |
| Re: Incidents involving the CA WoSign | Jonathan Rudenberg | 26/08/16 13:24 | Here’s the crt.sh link for this certificate: https://crt.sh/?id=29884704
Can you provide more details about where this certificate came from? Did you issue it using one of the vulnerabilities discussed in this thread? |
| RE: Incidents involving the CA WoSign | Richard Wang | 28/08/16 21:49 | On Thursday, August 25, 2016 at 12:14:10 AM UTC-7, Richard Wang wrote:
> We can post all 2015 issued SSL certificate to CT log server if necessary. Is there any reason not to do that proactively? R: OK, we will post all 2015 issued SSL certificates to CT log server, but this take time since we issued 115K SSL certificate in 2015. For incident 1 - mis-issued certificate with un-validated subdomain, total 33 certificates. We have posted to CT log server and listed in crt.sh, here is the URL. Some certificates are revoked after getting report from subscriber, but some still valid, if any subscriber think it must be revoked and replaced new one, please contact us in the system, thanks. https://crt.sh/?id=7036355 https://crt.sh/?id=29805552 https://crt.sh/?id=7678955 https://crt.sh/?id=29805553 https://crt.sh/?id=29805554 https://crt.sh/?id=29805555 https://crt.sh/?id=29805556 https://crt.sh/?id=6798197 https://crt.sh/?id=29805558 https://crt.sh/?id=6798107 https://crt.sh/?id=29805559 https://crt.sh/?id=7728281 https://crt.sh/?id=29805560 https://crt.sh/?id=6639307 https://crt.sh/?id=29805561 https://crt.sh/?id=29805562 https://crt.sh/?id=6805650 https://crt.sh/?id=6739981 https://crt.sh/?id=7966229 https://crt.sh/?id=7094833 https://crt.sh/?id=29805563 https://crt.sh/?id=29805564 https://crt.sh/?id=29805565 https://crt.sh/?id=29805566 https://crt.sh/?id=29805567 https://crt.sh/?id=6843440 https://crt.sh/?id=29805568 https://crt.sh/?id=6999366 https://crt.sh/?id=29805569 https://crt.sh/?id=9534934 https://crt.sh/?id=29806448 https://crt.sh/?id=29813139 https://crt.sh/?id=29647048 For incident 0, the certificate issued related using higher level port validated, total 72 certificates. To be clear, those certificates are validated by website control validation method that using other port except 80 and 443. So we think those certificate no need to be revoked. The crt.sh link just for your reference. https://crt.sh/?id=29805572 https://crt.sh/?id=7022909 https://crt.sh/?id=7564839 https://crt.sh/?id=29805573 https://crt.sh/?id=29805574 https://crt.sh/?id=29805575 https://crt.sh/?id=29805576 https://crt.sh/?id=29805577 https://crt.sh/?id=6969460 https://crt.sh/?id=29805578 https://crt.sh/?id=29805579 https://crt.sh/?id=29805580 https://crt.sh/?id=29805581 https://crt.sh/?id=29805582 https://crt.sh/?id=29805584 https://crt.sh/?id=29805585 https://crt.sh/?id=29805586 https://crt.sh/?id=9911443 https://crt.sh/?id=29805587 https://crt.sh/?id=7122803 https://crt.sh/?id=29805588 https://crt.sh/?id=29805589 https://crt.sh/?id=9985267 https://crt.sh/?id=29805590 https://crt.sh/?id=29805591 https://crt.sh/?id=29805592 https://crt.sh/?id=29805593 https://crt.sh/?id=29805594 https://crt.sh/?id=7224978 https://crt.sh/?id=10917791 https://crt.sh/?id=29805595 https://crt.sh/?id=29805596 https://crt.sh/?id=29805597 https://crt.sh/?id=6788465 https://crt.sh/?id=7224923 https://crt.sh/?id=9169568 https://crt.sh/?id=6836953 https://crt.sh/?id=29805598 https://crt.sh/?id=8172756 https://crt.sh/?id=29805599 https://crt.sh/?id=29805600 https://crt.sh/?id=7021184 https://crt.sh/?id=29805601 https://crt.sh/?id=29805602 https://crt.sh/?id=29805603 https://crt.sh/?id=29805604 https://crt.sh/?id=6927114 https://crt.sh/?id=6777468 https://crt.sh/?id=9793847 https://crt.sh/?id=29805605 https://crt.sh/?id=29805606 https://crt.sh/?id=29805607 https://crt.sh/?id=29805608 https://crt.sh/?id=9932344 https://crt.sh/?id=29805609 https://crt.sh/?id=29805610 https://crt.sh/?id=6880740 https://crt.sh/?id=29805611 https://crt.sh/?id=29805612 https://crt.sh/?id=7015627 https://crt.sh/?id=10008992 https://crt.sh/?id=29805613 https://crt.sh/?id=29805614 https://crt.sh/?id=29805615 https://crt.sh/?id=29805616 https://crt.sh/?id=7046181 https://crt.sh/?id=29805617 https://crt.sh/?id=29805618 https://crt.sh/?id=29805619 https://crt.sh/?id=7121749 https://crt.sh/?id=29805620 https://crt.sh/?id=6999366 Best Regards, Richard |
| Re: Incidents involving the CA WoSign | Gervase Markham | 29/08/16 01:27 | On 24/08/16 17:44, Peter Bowen wrote:
> I think you are missing the most likely option: CA hosting. My > understanding is that it is not uncommon that one CA operator > contracts with another CA operator to run a CA on behalf of the first > operator. I don't think it has been clear what disclosure of this > practice is required. Given that I believe this is widespread, I > assumed that all of the issuing CAs in this case were operated by the > same entity. If StartCom are hosting WoSign's infra (seems less likely), then it's still a pretty severe mistake to accidentally issue a certificate from one of your customer's roots rather than your own, although one might say the mistake in this case would be StartCom's. If WoSign are hosting StartCom's infra, it still leaves open the question of why StartCom are deploying code that WoSign are no longer using, and haven't for six months, and why WoSign permitted the StartCom UI to issue WoSign certificates at all. Gerv |
| Re: Incidents involving the CA WoSign | Gervase Markham | 29/08/16 01:33 | On 25/08/16 04:38, Richard Wang wrote:
> R: NOT this case you think. Due to root inclusion problem, WoSign > root is cross signed by StartCom since 2011. And we shared some > facility with StartCom like CRL and OCSP distribution etc. But not > this case, as I declared in the previous email, this is a API > parameter option that can post data to any server located in any > place. At what point in this process is the domain control validation done? Gerv |
| Re: Incidents involving the CA WoSign | Gervase Markham | 29/08/16 01:38 | On 26/08/16 04:33, Richard Wang wrote:
> As I admitted that this discussion gives us a big lesson that we know > when we need to report incident to all browsers. We guarantee we will > do it better. Richard, You have been involved in this (Mozilla) discussion group and in the CAB Forum for several years. In that time, you will have seen multiple CAs disclose instances where certificates were misissued, and you will have seen root programs take such disclosures seriously and consider them important. Did it not occur to you that the same standard of disclosure that everyone else was using should also apply to WoSign? Gerv |
| Re: Incidents involving the CA WoSign | Gervase Markham | 29/08/16 01:41 | On 29/08/16 05:46, Richard Wang wrote:Er, no. If these certificates were issued with unvalidated parent domains (e.g. with github.com when the person validation foo.github.com) then they need to all be revoked. You should actively contact your customers and issue them new certificates containing only validated information, and then revoke these ones. Gerv |
| Re: Incidents involving the CA WoSign | Gervase Markham | 29/08/16 01:43 | On 26/08/16 06:12, 233sec Team wrote:
> https://gist.github.com/xiaohuilam/8589f2dfaac435bae4bf8dfe0984f69e > > Alicdn.com is the cdn asset domain name of Taobao/tmall who belong to alibaba, which are Chinese biggest online shopping websites. > With the fake cert's middle man attack, password stealing, information leaking... Can you prove you have control of the private key associated with this certificate? Gerv |
| Re: Incidents involving the CA WoSign | Patrick Figel | 29/08/16 06:55 | Richard,
the problem with this approach is that the *subscriber* might not be authorized to make this decision for the parent domain. To go back to the GitHub case, the "owner" of a github.io subdomain telling you that they are authorized to own a certificate that covers github.io is irrelevant, as they have never demonstrated ownership of that domain. The right approach would be to revoke the affected certificates immediately and inform your subscribers that they will need to re-issue their certificates (while also verifying ownership of the root domain). Here's another similar case - cloudapp.net, which belongs to Microsoft Azure. I'm fairly certain this certificate was not authorized by Microsoft: https://crt.sh/?id=29805555 Thanks, Patrick On 29/08/16 11:30, Richard Wang wrote: > Yes, we plan to revoke all after getting confirmation from > subscriber. We are doing this. > > Regards, > > Richard > >> On 29 Aug 2016, at 16:38, Gervase Markham <ge...@mozilla.org> >> _______________________________________________ dev-security-policy >> mailing list dev-secur...@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy |
| Re: Incidents involving the CA WoSign | 233sec Team | 29/08/16 09:08 | Not vulnerabilities mentioned in this thread, but a Human-Audit weak process.
Detail you can see the reply content i send to Mr.Wang 在 2016年8月27日星期六 UTC+8上午4:24:44,Jonathan Rudenberg: > Here’s the crt.sh link for this certificate: https://crt.sh/?id=29884704 > > Can you provide more details about where this certificate came from? Did you issue it using one of the vulnerabilities discussed in this thread? > > > On Aug 26, 2016, at 01:12, 233sec Team <inao...@gmail.com> wrote: > > > > Wosign's Issue mechanism is high risking for large enterprise. > > This is one prove: > > |
| Re: Incidents involving the CA WoSign | 233sec Team | 29/08/16 09:08 | Of course I have private key of this certificate
Gervase Markham <ge...@mozilla.org>于2016年8月29日 周一16:42写道:
> > https://gist.github.com/xiaohuilam/8589f2dfaac435bae4bf8dfe0984f69e |
| Re: Incidents involving the CA WoSign | Tobias Sachs | 29/08/16 09:08 | Is there any plan to revoke the certificate in OneCRL soon? And how we could speed this up? @ Kathleen Wilson
|
| Re: Incidents involving the CA WoSign | mar...@marcan.st | 29/08/16 09:08 | Not only that, I see *two* certs issued for GitHub subdomains plus the parent domain:
https://crt.sh/?id=29647048 https://crt.sh/?id=29805567 Why wasn't this additional cert identified and disclosed prior to the aforementioned list being posted? It seems a no-brainer to manually audit the list for obvious cases of mis-issuance (i.e. not only the domain was not validated, but the customer clearly has no ability to validate it if asked). |
| Re: Incidents involving the CA WoSign | xcrai...@gmail.com | 29/08/16 09:09 | On Friday, August 26, 2016 at 4:26:26 PM UTC+8, Richard Wang wrote:
> This is the standard way in China Internet, if a west company say something to China company, all will support the west company. -- especially when local CAs are losing credibility to end-users. Microsoft Azure's Chinese website[1] has migrated from CNNIC CA, to WoSign, and recently to DigiCert. CNNIC itself, ironically, also moved to DigiCert. [1]: azure.cn It is almost axiomatic that without a proper statement & fix (no more 233sec team exploits) made, WoSign will continue losing trust from end-users as well as webmasters. > PLEASE don’t move this technical problem to political issue, thanks. Very unfortunately WoSign's advertisements are seemingly doing the opposite. On this comparison between WoSign and foreign CAs[2], you made the following statements: [2]: http://wayback.archive.org/web/20160828045112/https://www.wosign.com/about/WoSign_ForeignCA_compare.htm * Security: handled by Chinese company itself, fully secure. (Foreign CA: System Security should not be a problem, but risks of random revokes and/or access failures exist.) * Compliance with Chinese Law: Yes (Foreign CA: No, legal risks exist.) > Best Regards, > > Richard > > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosi...@lists.mozilla.org] On Behalf Of percy...@gmail.com > Sent: Friday, August 26, 2016 4:05 PM > To: mozilla-dev-s...@lists.mozilla.org > Subject: Re: Incidents involving the CA WoSign > > The news about possible sanction against WoSign was reported by Solidot http://www.solidot.org/story?sid=49448 > (the Chinese version of Slashdot). Out of 12 comments in total (at the time of writing), 8 of them call for revocation of WoSign, the rest talks about the general bad security practices in China. > > A quick intro of myself. > I'm Percy Alpha and I broke the news on GFW's MITM attack on iCloud, Outlook and Yahoo in 2014 and was later the victim of Great Cannon attack in 2015. |
| Re: Incidents involving the CA WoSign | Gervase Markham | 29/08/16 10:26 | On 29/08/16 09:48, 蓝小灰 wrote:I have asked 蓝小灰 for cryptographic proof of this. Gerv |
| Re: Incidents involving the CA WoSign | Percy | 29/08/16 14:53 | Gerv, I've notified the security team in Alibaba about this possible fake cert and ask them to confirm that they have not applied a cert.
It's unlikely that Alibaba will use a free cert from WoSign. As a commercial site, they usually use Verisign or globalSign |
| Re: Incidents involving the CA WoSign | Percy | 29/08/16 16:03 | "Some certificates are revoked after getting report from subscriber, but some still valid, if any subscriber think it must be revoked and replaced new one, please contact us in the system, thanks"WoSign seems to lack the basic understanding of how a certificate is used in authentication, consequently unfit to be a CA, I call for revocation of WoSign from all root programs immediately. http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html |
| Re: Incidents involving the CA WoSign | dion...@gmail.com | 30/08/16 08:18 | If I understand correctly, these 105 certificates are all mis-issued using the incorrect policies of either (0) website control validation with higher port numbers, or (1) parent domain-name verification by demonstrating control of a subdomain.
It is unclear why, given the fact that incorrect validation was done for these certificates, they are not already revoked. I don't understand why you are expecting a report from your respective subscriber to do that, as they have not proven control of the domain names in any case. These certificates must all be revoked immediately.
|
| Re: Incidents involving the CA WoSign | dymu...@gmail.com | 30/08/16 08:19 | Both of those certificates were generated by me. The 'motorstoiclathe' cert was a pseudonym made up to do more testing. Note that it's only valid for github.io because the 'schrauger' account was grandfathered into an old DNS redirect, and the new account didn't have that rule. Hence, it wasn't able to be created for the .com domain.
It is interesting that WoSign followed the redirect. I suppose it is assumed that with a 301 permanent redirect that the new domain is controlled by the same person, but that seems a bit sketchy. I had forgotten about the second github.io certificate, but looking back on my emails, it was also revoked the day after it was created. |
| Re: Incidents involving the CA WoSign | Percy | 30/08/16 10:46 | https://crt.sh is down. Maybe someone can check with comodo to see whether they got DDOSed?
Here are the Google CT for the possibly mis-issued certs mentioned in this thread. It would be a lot harder to take down the Google CT. Possible fake cert for Github https://www.google.com/transparencyreport/https/ct/#domain=github.io&incl_exp=false&incl_sub=false&issuer=lPrsb9Gbn4s%3D Possible fake cert for Alibaba, the largest commercial site in China https://www.google.com/transparencyreport/https/ct/#domain=alicdn.com&incl_exp=false&incl_sub=false&issuer=lPrsb9Gbn4s%3D Possible fake cert for Microsoft https://www.google.com/transparencyreport/https/ct/#domain=cloudapp.net&incl_exp=false&incl_sub=false&issuer=lPrsb9Gbn4s%3D |
| Re: Incidents involving the CA WoSign | Rob Stradling | 30/08/16 13:43 | On 30/08/16 18:45, Percy wrote:Sorry about that. crt.sh is back up now. It wasn't a DDOS attack. Every so often something goes awry with the database replication (between crt.sh's master database and front-end slave databases), which causes all of the front-end databases to crash. Somebody (usually me, but I've been out for most of today) is normally around to restart the crashed databases. I don't know why our NOC team didn't fix this several hours ago, but I intend to find out. Perhaps there are some improvements we need to make to our internal monitoring systems. I can't disagree with that statement. :-) That said, I'll see what I can do to improve crt.sh's uptime. I already have one offer of help... https://twitter.com/FiloSottile/status/770642205304352768 -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online |
| Re: Incidents involving the CA WoSign | Nick Lamb | 30/08/16 18:19 | On Tuesday, 30 August 2016 16:19:18 UTC+1, dymu...@gmail.com wrote:Hmm. I think that if there's a 301 redirect in place for every URL then in practice the effect is that the target site does control the content of the origin site. Such circumstances already exist without redirects. Suppose the site http://theclown.example.net/ functions as a thin proxy of another site, say http://famous-cloud-provider.example.com/ and simply copies the contents of equivalent resources at this other site, but replaces all instances of the word "cloud" in human-readable text with "clown". An amusing prank. We can expect that the legitimate owner of famous-cloud-provider.example.com would be able to obtain a certificate for theclown.example.net by obeying either the typical ad hoc validation scheme of the sort which you experienced with WoSign, or a Ballot 169-compliant scheme like ACME. This is because it is very unlikely that the validation content would include the exact word "cloud" and so it would pass through the proxy unaltered and be readable by the CA's validation system when checking theclown.example.net But this seems like no great loss, since in fact the contents of theclown.example.net are almost exactly controlled by famous-cloud-provider.example.com, the certificate's implications about who controls theclown.example.net are functionally true. If the legitimate owner of theclown.example.net doesn't want this to be possible under prior ad hoc validation systems it's a bit tricky to prevent, but under Ballot 169 it's simply a matter of making /.well-known/ exempt from the proxy rule, which is anyway already a very good idea. NB. If my musing inspires substantial further debate it should happen in another thread, not this one about WoSign. |
| Re: Incidents involving the CA WoSign | Peter Bowen | 30/08/16 19:44 | On Wed, Aug 24, 2016 at 6:08 AM, Gervase Markham <ge...@mozilla.org> wrote:
> Dear m.d.s.policy, > > Several incidents have come to our attention involving the CA "WoSign". > Mozilla is considering what action it should take in response to these > incidents. This email sets out our understanding of the situation. > > Before we begin, we note that Section 1 of the Mozilla CA Certificate > Enforcement Policy[0] says: "When a serious security concern is noticed, > such as a major root compromise, it should be treated as a > security-sensitive bug, and the Mozilla Policy for Handling Security > Bugs should be followed." It is clear to us, and appears to be clear to > other CAs based on their actions, that misissuances where domain control > checks have failed fall into the category of "serious security concern". I have run into another bug that appears to be fixed in WoSign's infrastructure but is worth noting. In April 2015, two different WoSign CAs issued multiple certificates to distinct subjects using the same serial number. The CT logs have picked up two instances of this occuring: https://crt.sh/?serial=0D3BBDC3A0175E38F9D0070CD050986A shows eight distinct certificates with the same serial number, all with notBefore dates of 2015-04-14. https://crt.sh/?serial=056D1570DA645BF6B44C0A7077CC6769 shows dozens of distinct certificates with the same serial number, with notBefore dates between 2015-04-10 and 2015-04-14. I have not examined their management assertions to see if this was documented and I do not know if this was reported to Mozilla at the time. These certificates do not appear to meet RFC 5280's requirements, which say: "The serial number MUST be a positive integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate)" (https://tools.ietf.org/html/rfc5280#section-4.1.2.2) Was Mozilla advised of this issue? Thanks, Peter |
| unk...@googlegroups.com | 30/08/16 19:47 | <This message has been deleted.> | |
| RE: Incidents involving the CA WoSign | Richard Wang | 30/08/16 20:07 | This case is in the BR report: https://cert.webtrust.org/SealFile?seal=2019&file=pdf
Thanks.
|
| Re: Incidents involving the CA WoSign | Percy | 31/08/16 01:49 | On Tuesday, August 30, 2016 at 7:47:43 PM UTC-7, itk9...@gmail.com wrote:
> Wosign indirectly bought StartSSL, https://www.letsphish.org Ha! It makes so much sense now why StartEncrypt is such a catastrophe(https://www.google.com/search?q=StartEncrypt). I've revoked all StarCom certs in my OS. Thanks for the heads up! |
| RE: Incidents involving the CA WoSign | Peter Gutmann | 31/08/16 02:17 | itk...@gmail.com <itk...@gmail.com> writes: >Wosign indirectly bought StartSSL, https://www.letsphish.org Has there been any independent investigation into this? We know that CAs are Peter. |
| Re: Incidents involving the CA WoSign | Gervase Markham | 31/08/16 03:16 | On 29/08/16 22:53, Percy wrote:That might also help; thank you. Please ask them to contact me directly to confirm this cert was not requested by them. Gerv |
| Re: Incidents involving the CA WoSign | s...@samspin.net | 31/08/16 05:42 | To the policymakers at Mozilla, my name is Samuel Pinder.
I consider myself an computer network analyst and have a degree in Web Systems Development. I also host a small number of websites on a technical level. I have used Startcom's services for a number of years. I only recently came across WoSign when I discovered that they offer 3-year valid certificates for free for up to 5 hostnames. That seemed quite an excessively long time in my opinion for a free certificate, almost too good to be true. As a customer of effectively both WoSign and Startcom, I have been having gradually growing concerns for some time about their recent practices and this recent news has not helped. I am currently looking into using other CA's for my needs but will watch what happens next closely before making a decision. I firmly believe WoSign have almost 'purchased' Startcom as I noticed that the nameserver domain for startssl.com (namely startcomca.net) would bring up WoSign's website for a time when accessed via a web browser as www.startcomca.net. I personally emailed Eddy Nigg (Startcom founder) about this, and this was eventually changed to redirect to startssl.com. So it is obvious that WoSign is hosting/sharing Startcom's infrastucture on it's own CA hardware/software, which Eddie confirmed in his email reply. The SSL certificate at the time for www.startcom.org had expired for over a week and still does have many broken links. Using the 'Live Chat' on www.startssl.com had a very confused employee tell me that startcom.org is no longer the website for Startcom, but startssl.com is. I stressed that this was confusing to people and that they should redirect the latter if that's the case. However... startcom.org remains using Israeli-based nameservers. Just how closely related Startcom is to WoSign is unknown, but it does mean that almost anything that renders WoSign vulnerable, also applies to Startcom. I would hope that Startcom re-evaluate their relationship with WoSign following this mess at the very least. Regarding WoSign in particular, the SHA-1 miss-issued certificates does look like a genuine mistake, being issued off of an SHA-2 intermediate makes their existence rather pointless in the case of backward compatibility, as old operating systems need a whole SHA-1 chain to validate properly. So there is no obvious motive for this API functionality to be left there on purpose, unless.... a rogue employee/subcontractor left it in place for when a SHA-1 hash collision becomes possible? What is likely here is that SHA-1 used to be the default signature choice, and was indeed legacy functionality left behind. It is very concerning however that despite WoSign having an external audit (which all CA's are meant to have) it appears nobody has independently performed a code audit of their API backend to prevent this being possible in a production environment. With regards to the mis-issued certificates applying to whole base domains validated only sub-domain, that prospect is horrifying. With regards to WoSign's API following 301 redirects from one domain to another though, I have noticed that Let's Encrypt's API (another CA at letsencrypt.org) also has this behaviour. This may be standard behaviour of the ACME protocol. Perhaps it would be prudent to decide in overall policy whether 301 redirects of verification URLs are acceptable. There are legitimate reasons why this would happen, for example if a customer owned www.example1.com and www.example2.net, but wanted the latter to always redirect to the other (because for example of a name change, but had many hardcoded https:// links), they would otherwise have to temporarily disable the redirect to get an SSL certificate covering both domains when validating with this method. With regards to ports other than 80 and 443 and 8080 being used for validation, I think the motive of this is because China has a mandatory media licencing requirement (ICP licence) for all servers that operate on either ports. It may not be practical for an individual in China to get one of these licences just to be able to gain an SSL certificate with this validation method. Of course allowing higher numbered ports does not give much excuse. I tested WoSign's website today however and can confirm that they have removed URL-based file verification, and now only allow DNS or email (from WHOIS) validation. All that's well and good, but the fact remains that there could be many other mis-issued certificates already in existence and the scope remains unknown at this point just how many. We only have WoSign's word that all of the mis-issued certificates are known and/or revoked. If it cannot be certain that WoSign have revoked all incorrectly-validated certificates, then the obvious choice is to add the "WoSign CA Free SSL Certificate G2" intermediate to OneCRL, and possibly their DV intermediate too, as these intermediates are known to have mis-issued certificates whilst their other intermediates have always had tighter validation requirements for OV and EV validation. That approach would certainly be painful for existing users and would require WoSign to immediately contact current and past customers to have new certificates issued from a new intermediate, once it is certain that all the bugs in the validation procedures have been resolved. Would it be appropriate to give customers time before such action is taken, given that it would break many websites, or does the risk of data leaks from unknown mis-issued certificates outweigh the need to give customers time? The other option of simply preventing any newly-issued certificates from being accepted in browers does not seem a very good idea given that WoSign have been known to backdate certificates. In fact, I would even suggest that WoSign cease issuing free certificates (and most possibly paid DV certificates) and in the meantime have an independent audit of their backend to ensure all vulnerablities are closed, with the results made public. Only then should they recommence issuance- at least on an automated scale. GlobalSign did something similar to this when there was speculation that the hacker responsible for compromising Diginotar had also breached them, at great risk to their business but ultimately gained respect in the process. Given the severity of these incidents and the fact they went unreported though I would not be surprised if WoSign's whole roots are blacklisted eventually if WoSign do not get their act together. The promise to completely commit to Certificate Transparency is quite a step, but it does not change what has already happened. WoSign's recent announcement gives me the impression they expect others to manually scour the CT logs once they upload their 2015 certificate data for mis-issuances that need revoking rather than do this themselves. Whilst it may *technically* be 'transparent' with CT, they don't seem in the spirit of things being completely transparent with their practices- in particular the relationship between Startcom and WoSign. At least one of these incidents actually occurred during research into Startcom, and it turned out the API was being shared by both CA's. Given the circumstances, I think it is appropriate to ask just what the relationship is between them. For me, it appears they are now one and the same, while the original 'Startcom' infratructure I once trusted is gathering dust and has been abandoned. I think I'll be taking my needs to another CA very soon if things don't look up! Samuel Pinder > Incident 0 > ---------- > > On or around April 23rd, 2015, WoSign's certificate issuance system for > their free certificates allowed the applicant to choose any port for > validation. Once validation had been completed, WoSign would > issue certificates for that domain. A researcher was able to obtain a > certificate for a university by opening a high-numbered port (>50,000) > and getting WoSign to use that port for validation of control. > > This problem was reported to Google, and thence to WoSign and resolved. > Mozilla only became aware of it recently. > > * Before the recent passage of Ballot 169 in the CAB Forum, which limits > the ports and paths which can be used, the Baseline Requirements said > that one acceptable method of domain validation was "Having the > Applicant demonstrate practical control over the FQDN by making an > agreed‐upon change to information found on an online Web page identified > by a uniform resource identifier containing the FQDN". This method > therefore did not violate the letter of the BRs. However, Mozilla > considers the basic security knowledge that ports over 1024 are > unprivileged should have led all CAs not to accept validations of domain > control on such ports, even when not documented in the BRs. > > * The misissuance incident was not reported to Mozilla by WoSign as it > should have been (see above). > > * This misissuance incident did not turn up on WoSign's subsequent BR > audit[1]. > > Incident 1 > ---------- > > In June 2015, an applicant found a problem with WoSign's free > certificate service, which allowed them to get a certificate for the > base domain if they were able to prove control of a subdomain. > > The reporter proved the problem in two ways. They accidentally > discovered it when trying to get a certificate for med.ucf.edu and > mistakenly also applied for www.ucf.edu, which was approved. They then > confirmed the problem by using their control of > theiraccount.github.com/theiraccount.github.io to get a cert for > github.com, github.io, and www.github.io. > > They reported this to WoSign, giving only the Github certificate as an > example. That cert was revoked and the vulnerability was fixed. However > recently, they got in touch with Google to note that the ucf.edu cert > still had not been revoked almost a year later. > > * The lack of revocation of the ucf.edu certificate (still unrevoked at > time of writing, although it may have been by time of posting) strongly > suggests that WoSign either did not or could not search their issuance > databases for other occurrences of the same problem. Mozilla considers > such a search a basic part of the response to disclosure of a > vulnerability which causes misissuance, and expects CAs to keep records > detailed enough to make it possible. > > * This misissuance incident was not reported to Mozilla by WoSign as it > should have been (see above). > > * This misissuance incident did not turn up on WoSign's subsequent BR > audit[1]. > > Incident 2 > ---------- > > In July 2016, it became clear that there was some problems with the > StartEncrypt automatic issuance service recently deployed by the CA > StartCom. As well as other problems it had, which are outside the scope > of this discussion, changing a simple API parameter in the POST request > on the submission page changed the root certificate to which the > resulting certificate chained up. The value "2" made a certificate > signed by "StartCom Class 1 DV Server CA", "1" selected "WoSign CA Free > SSL Certificate G2" and "0" selected "CA 沃通根证书", another root > certificate owned by WoSign and trusted by Firefox. > > Using the value "1" led to a certificate which had a notBefore date > (usage start date) of 20th December 2015, and which was signed using the > SHA-1 checksum algorithm. > > * The issuance of certificates using SHA-1 has been banned by the > Baseline Requirements since January 1st, 2016. Browsers, including > Firefox, planned to enforce this[2] by not trusting certs with a > notBefore date after that date, but in the case of Firefox the fix had > to be backed out due to web compatibility issues. However, we are > considering how/when to reintroduce it, and CAs presumably know this. > > * The issuance of backdated certificates is not forbidden, but is listed > in Mozilla's list of Problematic Practices[3]. It says "Minor tweaking > for technical compatibility reasons is accepted, but backdating > certificates in order to avoid some deadline or code-enforced > restriction is not." > > * WoSign deny that their code backdated the certificates in order to > avoid browser-based restrictions - they say "this date is the day we > stop to use this code"[4]. If that is true, it is not clear to us how > StartCom came to deploy WoSign code that WoSign itself had abandoned. > > * It seems clear from publicly available information that StartCom's > issuance systems are linked to WoSign's issuance systems in some way. > Nevertheless, it should not have been possible for an application for a > cert from StartCom to produce a cert signed by WoSign. > > * This misissuance incident was not reported to Mozilla by WoSign as it > should have been. > > > Taking into account all these incidents and the actions of this CA, > Mozilla is considering what action to take. Your input is welcomed. > > Gerv, Kathleen and Richard > > > [0] > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/enforcement/ > [1] https://cert.webtrust.org/SealFile?seal=2019&file=pdf > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=942515 > [3] > https://wiki.mozilla.org/CA:Problematic_Practices#Backdating_the_notBefore_date > [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1293366 |
| Re: Incidents involving the CA WoSign | Gervase Markham | 31/08/16 06:45 | On 24/08/16 14:08, Gervase Markham wrote:Just as a note, this information is incomplete - the enforcement returned for publicly-trusted CAs in bug https://bugzilla.mozilla.org/show_bug.cgi?id=1254667 , since Firefox 48. Gerv |
| Re: Incidents involving the CA WoSign | ian...@gmail.com | 31/08/16 10:06 | On Tuesday, August 30, 2016 at 1:03:57 AM UTC+2, Percy wrote:I concur absolutely and as such, urge all vendors to revoke WoSign as a trusted CA. |
| Re: Incidents involving the CA WoSign | joze...@gmail.com | 31/08/16 10:07 | As an admin I want to check the WoSign Issuer Policy provided by their "WoSign CA Free SSL Certificate G2" certificate.
Issuer Policy is linked to http://www.wosign.com/policy/ This page shows the source code instead of actual policy. <% Dim strAcceptLanguage strAcceptLanguage=Request.ServerVariables("HTTP_ACCEPT_LANGUAGE") 'response.write strAcceptLanguage if instr(strAcceptLanguage,"zh")>0 then Response.Redirect "cps.htm" else Response.Redirect "cps_e.htm" end if %> WoSign does not look like trust worthy CA. Unfortunately their certificates are trusted because the StartCom CA is trusted by OS. |
| Re: Incidents involving the CA WoSign | watso...@gmail.com | 31/08/16 10:07 | On Tuesday, August 30, 2016 at 8:07:49 PM UTC-7, Richard Wang wrote:Dear Richard, It's clear WoSign has continuing compliance issues with CA/Browser forum rules, and has repeatedly failed to correct them. Furthermore there has been lots of questions about what it would take to improve CA practices given the degree of incompetence some have practiced, and it's clear penalties would go a long way. Is there a reason we shouldn't permanently ban WoSign, and all CAs controlled by people involved with it, from the root program? It seems clear that WoSign has been misleading its auditors repeatedly and has insufficient tracking of which certificates are issued, has been aware of these problems for years, and has not been forthright in addressing them. Making an example would do a lot to encourage better CA behavior in general. Sincerely, Watson Ladd |
| Re: Incidents involving the CA WoSign | Ryan Sleevi | 31/08/16 11:13 | On Wednesday, August 31, 2016 at 10:07:19 AM UTC-7, watso...@gmail.com wrote:For how long? These are all very compelling arguments. This is less compelling, because "making an example" seems a subjective judgement/punitive response, although you to clarify "to encourage better CA behaviour". At present, it looks like there's around 60K (active, valid) WoSign certs presently logged in CT logs, either through WoSign's logging or through secondary sources (such as Google's crawling). Richard has indicated that WoSign issued around 115K certificates in 2015 alone, but it's unclear how much overlap that would have; if we assume the worst case, and that they're all unique certs not previously before seen/logged (for example, perhaps due to the Great Firewall causing difficulty for Google's crawler), and if we generously extrapolate the same amounts for 2014, and take a quarter of that for 2013 certs that could still be valid within the 39 month window, we end up with an "Extreme Worst Case" of 319K certs. While I suspect the number if likely much lower, especially when considering when WoSign switched to SHA-2 (as the SHA-1 certs will be invalid by January 1, 2017), let's operate on two assumptions: 1) "Best Case" of say, ~200K valid certs 2) "Worst Case" of, say, ~319K valid certs If browser vendors/root stores move to distrust WoSign, all of these certs would be invalidated. We know that a number of sites within the Alexa Top 1M are (intentionally) using WoSign, so we can expect a large number of users, across browser vendors, are accessing these sites, and would thus be seeing a significant amount of SSL/TLS error pages if the CA was distrusted. We know that major platform providers (such as Microsoft Azure) have partnered with WoSign as well, and thus further suggest a larger than desired user impact. Setting aside for a second whether or not distrusting is the right action, let's think about what possible responses. A) Remove the CA. Users may manually trust it if they re-add it, but it will not be trusted by default. B) Actively distrust the CA. Even if manually added (by user or enterprise policy), it will not be trusted. C) Remove the CA. Develop a whitelist of pre-existing certificates to be trusted. - What form should this whitelist take? * Shipping it in the binary is unacceptably large. * Downloading it in full on demand is unacceptably large/unreliable. * Checking with a central server for serial number can lead to misleading results (WoSign has shown they issue duplicate serials, and nothing would prevent them from doing so in the future) * Checking with a central server for certificate hash may have privacy considerations. * Conclusion: Something SafeBrowsing-like would have to be developed ( https://developers.google.com/safe-browsing/v4/ ), which could be months away. D) Distrust any certificate without appropriate CT information. Whitelist certs before 2016. - See whitelist problems above E) Distrust certs without appropriate CT information, wholesale. - Note: It appears that WoSign is or has had similar issues to Symantec, failing to log to a diverse-enough set of logs to ensure a robust CT implementation. A quick and random sampling shows, for example, that precertificates are only being logged to Google logs (such as for 8-30-16). Thus, unless an implementation is willing to fully trust Google CT logs alone - something Google themselves are unwilling to do - then this suggests that this may be the same as wholesale distrusting. In effect, a number of these options boil to a set of concerns: - Distrusting can be significantly disruptive to end-users, potentially habituating them to SSL warnings or errors - Distrusting potentially could interfere with those who may still want to trust WoSign manually, themselves - Distrusting in a way that minimizes disruption has concerns for privacy, stability, or timeliness. I'm not trying to suggest that distrusting is right or wrong, but I am curious for those who would advocate distrusting how browser vendors, such as Google and Mozilla, for example, might appropriately balance the concerns of the broader community, while also minimizing any damage, particularly to their users, and avoiding any reactionary responses. It would seem like a form of whitelist (whether to continue trusting WoSign with CT enablement, or distrusting but grandfathering in disclosed certs, ala CNNIC) would require active development and assistance from the broader security and privacy community on how best to balance and scale such concerns, and regardless, would take time to implement, test, and deploy, but would be useful and possibly scalable for other future CA incidents. However, are there alternatives or concerns that I omitted from the above list? In either event, hopefully this thought experiment brings into light the set of concerns that vendors, such as Mozilla and Google, may have to consider, and may help find an appropriate response that reflects the gravity of these incidents, and the handling of them, and may spark the community for ideas and solutions that can help balance those needs. |
| RE: Incidents involving the CA WoSign | Richard Wang | 31/08/16 20:05 | Fair enough, thank you, Ryan.
This is my last formal statement for this issue that I am tired of this argument, I need to go to hospital now :-). First, please treat WoSign as a global trusted CA, DON'T stamp as China CA. We need a fair treatment as other worldwide CAs that I am sure WoSign is not the first CA that have incident and not the serious one; Second, I supplement some data for your reference, please consider those subscribers benefit, especially from many underdeveloped countries that can't afford the too expansive SSL certificate. (1) WoSign totally issued 100K SSL certificates in 2015 that we are posting to CT log server (not 115K, Sorry, I used the wrong search condition); (2) WoSign totally issued 230K SSL certificates till now for worldwide websites about 208 countries and regions. 55% from China, 45% is out of China that 14% from Russia, 4.2% from Germany, 3.6% from Ukraine, 2.1% from USA. Those worldwide subscribers mostly are using WoSign free SSL certificate that shared the benefit of China economy grow. Third, I believe no one dare to say his system no bug, WoSign admitted we have system bug that issued the wrong certificate and fixed. This is why WoSign is the first CA in the world for volunteering to "Require CT", we like to use CT mechanism to find out the bug quickly and reduce the lost to minimum, we logged all issued certificate to CT log server and embedded SCT data to certificate since July 5th. Thanks for Google invent so good transparency system. Finally, I am very sorry to all browsers that we don't execute the incident report policy properly, WoSign get a deep lesson for how to deal with this kind of incident now, I wish everyone give us a chance to be a good boy, at least one-time chance. Thanks a million. Best Regards, Richard Wang CEO WoSign CA Limited
|
| Re: Incidents involving the CA WoSign | Ryan Sleevi | 31/08/16 21:45 | On Wednesday, August 31, 2016 at 8:05:57 PM UTC-7, Richard Wang wrote:I would have hoped, through all of this, that you would have come to realize the seriousness and gravity of the multiple problems that WoSign has had over the past 18 months, rather than continue to dismiss it. You misissued certificates to people who were not authorized. Repeatedly. In multiple separate instances. You have had multiple issues with adhering to the Baseline Requirements, and those have not been disclosed, to your auditors or browsers. Consider Incident -1, which was not listed here in this thread yet, on April 4, 2015, which caused you to update your CPS ( http://www.wosign.com/policy/wosign-policy-1-2-10.pdf ) to correct several issues that Google reported to you regarding non-compliance to your stated policies and to the BRs. Ultimately, CAs are based on trust: - Trust that they're performing the necessary validation and vetting procedures - Trust that they are securing their internal systems from both internal and external threats - Trust that they understand the seriousness of their role as a provider of global certificates, any of which might be used to compromise or attack users, and take adequate steps to ensure the correctness of those operations. Your responses, unfortunately, have done little to instill or affirm that the trust is well placed. Even more so, you're a CA authorized to issue the most rigorous certificates available (Extended Validation), and so the bar is set even higher for your operational controls and processes! - You failed to understand the gravity of the misissuance, and thus failed to revoke these certificates. I would argue this constitutes a further BR violation itself, per Section 4.9.1.1 of the BRs ( https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.3.8.pdf ), in particular, Items 4 and Items 9 in that list, but would be curious if you disagree. - You have repeatedly suggested this was an honest mistake, suggesting it was a singular issue, when the reality is that it is a pattern of mistakes that have spanned over a year and have led to multiple misissued certificates. - These incidents - including the issue with the CPS page - suggest a software development methodology that fails to adequately ensure the robustness of the systems, and fails to understand the security risks that must be mitigated in such systems. When there are concerns that undermine trust, it's important to engage to restore trust, and so I truly appreciate your involvement in these discussions, and your efforts to restore that trust. And while it's understandable that, in any security incident, there will be disagreements regarding severity or impact, it's vitally important for an entity whose product depends on trust takes steps to understand the issues, understand the perspectives, and takes a careful look to understand why so many people are disagreeing with the risk assessment or mitigation strategy. Alternatively, WoSign dismissed the need to revoke the certificates, despite knowing that they were not validated according to the BRs, routinely violated their CPS, failed to notify either browsers or their auditors of these issues, all while violating other provisions of the Baseline Requirements that were disclosed - such as duplicate serials and SHA-1 certificates. This is a vast departure from, say, the thread last month - https://groups.google.com/d/msg/mozilla.dev.security.policy/9QKw1C3m4Lo/nkg1rcJyAgAJ - and shows how significant the gap in perception and user trust can be, based on how a CA handles an incident and the subsequent public discussion. And yet, although you've committed to logging your certificates, your logging has failed to abide by the one policy that exists for CT logging - the Chromium CT policy ( https://www.chromium.org/Home/chromium-security/certificate-transparency ). While it's laudable that you're logging your certificates at all, there's two important pieces being omitted here: - By only logging to Google logs, you're not necessarily improving trust, because now the burden is to trust Google. - This is an issue I personally informed you about and discussed at length with you on May 25, 2016. For example, as highlighted in the message you're replying to, if Chrome were to do what you requested - and require CT for WoSign certificates - few to none of the WoSign certificates issued since would be trusted. Consider this Precertificate - https://crt.sh/?id=30466652 - and its associated certificate, https://crt.sh/?id=30468277 - which you only logged to Google's Pilot and Aviator logs. That means that in order to trust WoSign certificates, you'd have to trust Google as a single point of trust - which, as I highlighted earlier, is something even Google isn't willing to ask of the public. Don't you believe the evidence shows you've already been given multiple chances, and yet continue to unfortunately find new and distinct ways to misissue certificates? At what point should the community say that enough is enough? That's fundamentally the question here. I realize this may seem like a debate between there "three incidents" (although there have been at least two more BR violating incidents, as highlighted in this message) and "four incidents" (giving you one more chance), but a key goal of this thread was to question whether or not it was believed that WoSign would improve. |
| Re: Incidents involving the CA WoSign | Percy | 31/08/16 23:03 | WoSign totally issued 230K SSL certificates till now for worldwide websites about 208 countries and regions. > If browser vendors/root stores move to distrust WoSign, all of these certs would be invalidated. We know that a number of sites within the Alexa Top 1M are (intentionally) using WoSign, so we can expect a large number of users, across browser vendors, are accessing these sites, and would thus be seeing a significant amount of SSL/TLS error pages if the CA was distrusted. We know that major platform providers (such as Microsoft Azure) have partnered with WoSign as well, and thus further suggest a larger than desired user impact.// Microsoft Azure China has moved from CNNIC to WoSign and ultimately to DigiCert and I assume many large companies will follow suit. If they have not, they will certainly do once they're aware WoSign is pending removal (if removal is decided) Indeed, WoSign has become too big to fail. I would suggest that the decision whether to remove WoSign should be independent of whether it's practical to implement such removal. Otherwise, larger CA basically gained "natural protection" from mere usage numbers over smaller CA in terms of enforcement actions. On the practical implementation, I suggest the following. All existing certs issued by WoSign need to be logged by enough CT logs by say Dec 31, 2016. After Jan 1, 2017, the browser will only trust a cert from WoSign if 1) CT is present 2) The cert is submitted to CT logs before Dec 31, 2016. Or we can use an offline whitelist. How about include SHA-2 of existing WoSign certificates in the binary? So the browser would first check whether it's signed by WoSign, if so, compare the hash of the cert with the offline list. 224 bit hash * 230K certificate = 6.5 MB. Considering the Chrome installer file is almost 70MB, this might be acceptable. |
| Re: Incidents involving the CA WoSign | Ryan Sleevi | 01/09/16 00:27 | On Wednesday, August 31, 2016 at 11:03:11 PM UTC-7, Percy wrote:Note: I intentionally did not phrase it in terms of practicality of removal, but practicality of options. Whatever decision is made, it must be implementable, otherwise, it's theatre. So you have to consider what is possible when considering what is appropriate. If we allow ourselves to consider the impossible as options, then it might as well say that any CA that screws up needs to travel back in time and unissue the certificates, since surely that too would solve the problem. CT is not designed nor intended for online checking, so #2 is a non-starter. 1) SHA-2 is 256-bit, not 224-bit 2) A 100KB increase is unacceptable, especially for mobile users. |
| Re: Incidents involving the CA WoSign | Kurt Roeckx | 01/09/16 02:37 | On 2016-08-31 20:13, Ryan Sleevi wrote:An other option is to only trust certificates issued before a certain date. We seem to have a problem trusting the date in the certificate, so this might need to be in combination with an SCT from before that date. I think the easiest way to do this is have the SCT in the OCSP response, but it would require the server to do OCSP stapling. It would then be up to the CA to make sure they are submitted to enough logs, that the OCSP server returns them, and that they inform their clients to make sure OCSP stapling is turned on. Kurt |
| Re: Incidents involving the CA WoSign | Erwann Abalea | 01/09/16 05:30 | Bonjour,
[...] > > Or we can use an offline whitelist. How about include SHA-2 of existing WoSign certificates in the binary? So the browser would first check whether it's signed by WoSign, if so, compare the hash of the cert with the offline list. 224 bit hash * 230K certificate = 6.5 MB. Considering the Chrome installer file is almost 70MB, this might be acceptable.The whitelist for EV logged before 01/01/15 contained around 180k certificates, each one identified by a 64bits digest, the list was compressed in order to gain 25%, the result was an object slightly larger than 1MB. Today, this list contains around 110k certificates, and it's less than 680KB. |
| Re: Incidents involving the CA WoSign | Peter Bowen | 01/09/16 08:10 | On Wed, Aug 31, 2016 at 8:04 PM, Richard Wang <ric...@wosign.com> wrote:> (2) WoSign totally issued 230K SSL certificates till now for worldwide websites about 208 countries and regions. As of yesterday, I found 131924 unique certificates (either in final or precertificate form) in CT logs where the issuer contained the string "wosign". Of these, 62412 have notBefore with the year 2015. Of the total set, 20723 have already expired (15.7%). Of the 2015 certs, 9380 are already expired (15.0%). Based on the 230K total number, it seems save to assume about 196K certs are probably unexpired at this point. Does that seem accurate? |
| Re: Incidents involving the CA WoSign | Ryan Sleevi | 01/09/16 08:50 | On Thursday, September 1, 2016 at 5:30:28 AM UTC-7, Erwann Abalea wrote:Note: The EV whitelist uses a probablistic structure that Google was comfortable with when determining EV, since it would also have needed to have the EV policy OIDs, and thus unlikely to be "gamed," but when considering trust, is unacceptably high in the false-positive case when considering a CA that may not be trustworthy. For example, the CNNIC whitelist, as implemented by both Chrome and Firefox, uses the full 32-byte hashes. If we accept 110K (for your number), that's 3.5 megs (uncompressed). If we accept Peter's estimate, that's 6.3 megs (uncompressed). If we accept the full 230K Richard posted, that's 6.4 megs (uncompressed). We should probably fork off to the other thread if we're going to consider to discuss whitelist technical solutions, if there is community interest, and we can discuss the various concerns and tradeoffs between probablistic data structures (such as Golomb coded sets like the EV whitelist uses, Bloom filters as was proposed elsewhere in the past, and other forms of compression), as well as run concrete analysis of various implementations. As of yet, there doesn't seem to be a good inline solution that adequately reflects the facts surrounding it, if a whitelist is determined to be suitable. - Date based retroactive trust is impaired by known backdating - Full whitelists are insufficiently large - Probabablistic whitelists can be gamed with false positives (And I'm actively factoring in the CPU cost involved with signing as part of this threat model, assuming both "worst case" and "reasonable case") - Online lookups have privacy flaws (same as OCSP) I say "SafeBrowsing-like", but for sake of the PKIX familiar, it might otherwise be rephrased as "shared certificate *Trust* lists with issuerDistributionPoints", which is effectively the same thing :) |
| Re: Incidents involving the CA WoSign | keyc...@gmail.com | 01/09/16 08:50 | > It is clear to us, and appears to be clear to... > * It seems clear from publicly available information that StartCom'sI have read the details of this incident made public to date, and in my view, this comes down to two fairly simple questions: Did WoSign betray the public trust, and when mistakes were made were they proactive and transparent in resolving them? The *only* currency for a public CA is trust, and WoSign broke that trust by attesting to control of (critical) TLDs when in fact, such control did not exist. There is no difference between issuing fraudulent certificates to a security researcher as there is to any bad actor. Worse, after being made aware of the issue (and related vulnerabilities in their system), WoSign acted in bad faith by failing to proactively revoke all fraudulent certificates, notify their auditor, or inform Google and Mozilla. The behavior with StartCom only punctuates that continued bad faith and unwillingness to conform with the most basic obligations of a CA. I probably don't need to remind most of you here how already tenuous is the confidence in the existing public key system generally, and TLS security specifically. In light of their continued actions, I strongly urge the community to remove WoSign from the respective root trust stores. Kenn White https://opencryptoaudit.org/people |
| Re: Incidents involving the CA WoSign | Vincent Lynch | 01/09/16 08:50 | This may be getting a bit ahead of the discussion, but...
The exact relationship between WoSign and StartCom seems relevant to how these violations should be handled. Whether browsers decide to distrust WoSign, require CTs for all/future certs, take some other "probationary" decision, or do nothing at all, the relationship between these two CAs needs to be fully understood to properly execute that decision. If WoSign's violations are a result of bad policies/systems, and they own StartCom, should both CAs not face the same oversight/punitive action? If WoSign certs are to be logged in CT, do StartCom certs also need to be logged? If tomorrow, StartCom was to violate the BRs, is that viewed as a separate incident? Or grouped in with the other violations WoSign has had? The question of who owns/operates StartCom has been something the CA/Browser community has wondered about for the last few months. Last night, https://www.letsphish.org was shared to this thread. The contents of that site are currently unavailable for stated legal reasons, but the site can still be accessed through Google's Cache: http://webcache.googleusercontent.com/search?q=cache:https://www.letsphish.org/?part=1 This site made the following claim (and provided supporting documentation): "Reviewing StartCom registry in the Israeli company directory reveal that on November 1st, 2015 all the shares of the private held company were transfered to a UK based company named "StartCom CA Limited". This company, "StartCom CA" is owned by Gaohua Wang, who is of Chinese nationality." The site further claims that Gaohua Wang and Richard Wang are the same person. Previously in this thread, Richard wrote: "[WoSign] shared some facility with StartCom like CRL and OCSP distribution etc." However, the claims raised by LetsPhish.org, the connections between StartCom's StartEncrypt system and WoSign's issuance systems, and other assertions (https://pierrekim.github.io/blog/2016-02-16-why-i-stopped-using-startssl-because-of-qihoo-360.html) have made it obvious that we do not *know* very much. I think Eddy Nigg (founder of StartCom) and/or Richard Wang (of WoSign) should make a statement about this. |
| Re: Incidents involving the CA WoSign | Ryan Sleevi | 01/09/16 09:01 | On Wed, August 31, 2016 10:09 pm, Richard Wang wrote:
> Thanks for your so detail instruction. > Yes, we are improved. The two case is happened in 2015 and the mis-issued > certificate period is only 5 months that we fixed 3 big bugs during the 5 > months. > For CT, we will improve the posting system. I had a little trouble parsing this, but let's make sure we're on the same page. I've continued Gerv's original numbering: Incident -2: 16 January 2015 - 5 March 2015 - 1,132 BR-violating SHA-1 certificates ( https://cert.webtrust.org/SealFile?seal=2019&file=pdf ) Incident -1: April 4, 2015 - WoSign is informed it's routinely violating its CPS for issued certificates ( https://www.wosign.com/policy/wosign-policy-1-2-10.pdf ) Incident X: April 9 - April 14, 2015 - 392 duplicate serial numbers Incident 0: April 23, 2015 - 72 potentially dangerous port-validated certificates Incident 1: June, 2015 - 33 unvalidated base-domain from sub-domain certificates Incident 2: July, 2016 - At least 1 backdated SHA-1 certificate (was this the only one? I wasn't clear from https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/gksYkOTLCwAJ ) Just making sure we're in agreement about the facts and timelines surrounding these, so that it's easier than debating 2 or 3 or 5 or more. |
| Re: Incidents involving the CA WoSign | Andrew Ayer | 01/09/16 10:41 | On Thu, 1 Sep 2016 09:00:38 -0700This was a violation of a "SHOULD NOT" (not a "MUST NOT") issue SHA-1 certificates that expire after 2016. Since issuing SHA-1 certificates was not forbidden in 2015 and the notAfter date is immaterial to the risk of SHA-1 collisions[1], it would be unfair and counterproductive to hold this against WoSign. Regards, Andrew [1] In fact, stockpiling long-lived SHA-1 certs in 2015 would have been vastly better for the ecosystem than using "legacy" roots or requesting an exception in 2016. |
| Re: Incidents involving the CA WoSign | Percy | 01/09/16 14:50 | They have confirmed that it's a fake cert. Alibaba knew this prior to my
contact and said they already contacted WoSign. Percy Alpha(PGP <https://pgp.mit.edu/pks/lookup?op=vindex&search=0xF30D100F7FE124AE>) |
| RE: Incidents involving the CA WoSign | Richard Wang | 01/09/16 17:52 | The posting to log server still not finished.
Best Regards, Richard
Sent: Thursday, September 1, 2016 11:11 PM |
| RE: Incidents involving the CA WoSign | Peter Gutmann | 01/09/16 21:00 | Vincent Lynch <vtl...@gmail.com> writes: >I think Eddy Nigg (founder of StartCom) and/or Richard Wang (of WoSign) +1. I'd already asked for something like this earlier and got silence as a Peter. |
| Re: Incidents involving the CA WoSign | Percy | 01/09/16 22:53 | The former employee of Starcom and author of https://www.letsphish.org/ took the content down, presumably facing legal pressure from StarCom or Wosign. Please see the full site mirror here https://archive.is/8bSp6
|
| RE: Incidents involving the CA WoSign | Richard Wang | 01/09/16 23:01 | OK I try to say some that I wish I don't violate my company confidential policy.
1. Eddy told me that this guy is the former employee of StartCom, he violates the signed NDA that he must shutdown the site within the limit time. Every re-distribution the wrong information will heavy his penalty (including site cache or mirror site). I am sure every company don't like its former employee to expose company's confidential information. 2. WoSign invested in 5 companies worldwide including in North America, Europe and Asia (China), but my company is a private company that no any liability to expose everything that we don't like to expose. And Mozilla also don't have the policy that every CA must expose its shareholder and director. 3. Please don't bind WoSign incident problem with StartCom, it is two independent company that one registered in China and one located in Israel. StartCom and WoSign have maintained a business relationship for many years since 2011 when WoSign startup CA business. And WoSign root is cross signed by StartCom root due to the problem that root inclusion took long time. From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosi...@lists.mozilla.org] On Behalf Of Peter Gutmann Sent: Friday, September 2, 2016 11:59 AM To: Vincent Lynch <vtl...@gmail.com>; mozilla-dev-s...@lists.mozilla.org Subject: RE: Incidents involving the CA WoSign
+1. I'd already asked for something like this earlier and got silence+as a response, which isn't inspiring confidence. |
| Re: Incidents involving the CA WoSign | Percy | 01/09/16 23:23 | NDA only applies for information that's privileged. The content here https://archive.is/8bSp6 can be obtained all from public sources, hence exempted from NDA. In case WoSign tries to send take down request to Achieve.is, I mirrored the content on pastebin too http://pastebin.com/hiKxmGMH Good luck taking that down. Sure, your company is a private company. But the public doesn't have an obligation to trust you either. Two independent companies that share the same infrastructure, director and user trust according to https://archive.is/8bSp6 , doesn't look very independent to me. |
| RE: Incidents involving the CA WoSign | Richard Wang | 01/09/16 23:36 | Please remember this sentence:
Every re-distribution the wrong information will heavy his penalty (including site cache or mirror site).You are harming him! |
| Re: Incidents involving the CA WoSign | Matt Palmer | 01/09/16 23:49 | On Fri, Sep 02, 2016 at 05:59:19AM +0000, Richard Wang wrote:I don't see anything particularly confidential, and waving around legal threats really does seem like there's something to hide. Why not address the concerns raised by that site, rather than shutting it down, if the accusations are entirely baseless? Mozilla also doesn't have every CA under scrutiny at the moment for a series of fairly egregious breaches of the public trust, either. Was the distinction between "registered" and "located" deliberate there? - Matt |
| Re: Incidents involving the CA WoSign | Percy | 01/09/16 23:55 | On Thursday, September 1, 2016 at 11:36:13 PM UTC-7, Richard Wang wrote:You stated that he was a former employee of StartCom in 2015. After he left the company, what he learnt from public sources in 2016 is not bound by NDA. I do not appreciate you holding him hostage to suppress public and crucial information on understanding the trust of CA. Since WoSign is trying so hard to suppress such critical information, it's especially important for us to understand the consequences of such info. The entire article is reproduced below. -------- Being a Certificate Authority is all about trust. Start Commercial LTD "is" an Israeli Certificate Authority, Their certificates are trusted by billion of devices (computers, mobile phones, routers, etc) and they claim to be "the 6th biggest CA in the world". StartCom launched it's activities as we know it today around 2006 with the brandname StartSSL. Their site didn't had much UI changes during those years. Until 2016... February 16th, 2016, Pierre Kim in his security blog wrote about why he stopped using StartSSL. The article was about how some of StartSSL's infrastructure is hosted in China/by Chinese companies. But he showed only small part of the whole picture, not going into who owns StartCom and the brandname StartSSL. Reviewing StartCom registry in the Israeli company directory reveal that on November 1st, 2015 all the shares of the private held company were transfered to a UK based company named "StartCom CA Limited". This company, "StartCom CA" is owned by Gaohua Wang, who is of Chinese nationality.But no news about it. 2016 is a major year for StartCom, new UI, new tools and new features, and yet, no news regarding the new ownership. The only news related to the matter was a minor post about expending their activities in China. In the previous part we saw that the ownership of the company has switched, from Israeli hands to Chinese hands (via a UK based company to operate as a front organization). Pierre Kim in his blog post showed that some of StartSSL infrastructure is hosted in China/by Chinese companies. In this part I will present that currently (June 2016) StartSSL is operating from China (their employees are located in China). During the first half year of 2016 I've contacted StartSSL several times. The first time was when I notified them about their SPF TXT records being incorrect [1], the reply was originated from 113.104.213.84 (China Telecom, CHINANET Guangdong province network) with the "Content-Language" equals to "zh-cn" and the localtime of the email was UTC+0800. The email is signed with "certm...@startssl.com" private key. The second time I've contacted StartSSL was in regard their OCSP replies for expired certificates [2], again the reply was originated in China 183.37.124.147 (China Telecom, CHINANET Guangdong province network) with China's localtime (UTC+0800). The third and last time I've contacted StartSSL was regarding their expired certificates on some of their hosts [3], this time the reply seem to be generated via some kind of a ticket system, but still from China. The ticket system itself (MX server at least) seem to be in China, 124.251.21.41 (21ViaNet(China),Inc), and the person who replied to my email was also from China, 14.153.60.139 (China Telecom, CHINANET Guangdong province network) with "Accept-Language:" set to "zh-cn". And what about StartSSL automated emails, old ones (during January) seem to originate in China, they came from 106.39.1.130 (China Telecom, CHINANET-BJ) [4]. But later ones, come from 104.192.108.9-10 (China Telecom (Americas) Corrporation (CTUC)) [5]. According the the whois, this is a Chinese company with an IP infrastructure in the US, but the localtime is still set to China's localtime. In part 1 I showed that all shares from Start Commercial LTD (company based in Israel) were transferred to a front organization in the UK, named "StartCom CA Limited", which their sole director is Gaohua Wang. In part 2 I showed that StartSSL is actually operating from China (last verified, June 2016). In this part I will disclose who actually owns StartCom and more specifically the "StartSSL" brandname. The key figure is Gaohua Wang (aka Richard Wang). It may not be so easy to connect him to the company in matter (searching for "Gaohua Wang certificate authority" will do the trick), but Gaohua Wang is also a director of another CA company based in China, named WoSign [1]. StartCom doesn't share this information with their customers, past, present and probably near future. I even tried to ask them directly via their Live Chat, but they haven't given me a straight answer ("not really", "close relationship" and "share infrastructure") [2] [3]. It seem StartCom is trying really hard not to disclose that StartCom was sold indirectly to a Chinese company. Lets break down the answers to the question "Did WoSign bought you?" "Not really" - WoSign didn't bought StartCom directly, Gaohua Wang (which also owns WoSign) used a front organization in the UK to buy StartCom. "Close Relationship" - StartCom in the past cross-signed some of WoSign's intermediate CA, you may consider it as "close relations". "Share Infrastructure" - This will explain Pierre Kim's post, but it doesn't explain why StartCom will require that, most StartSSL's customers are in Europe and in the US, not in China nor Asia [4]. But there are holes in the story. Why the operations (mail replies, core service like 'auth.startssl.com') is in China? When trying to dial the Israeli number (+972.8.634.4170) I got an unplugged number tone [5], is the office in Israel is unavailable? But some of StartCom infrastructure is still hosted in Israel. I will conclude with that, the same person (Gaohua Wang) owns WoSign and StartCom. I will leave connecting the dots for you... |
| RE: Incidents involving the CA WoSign | Richard Wang | 01/09/16 23:55 | I think we are out of topic.
Please send me offlist email if you like.
|
| RE: Incidents involving the CA WoSign | Richard Wang | 02/09/16 00:39 | We finished the CT posting, all 2015 issued SSL certificate is posted to WoSign CT log server: https://ctlog.wosign.com, total 101,410 certificates.
From: Peter Bowen [mailto:pzb...@gmail.com] Subject: Re: Incidents involving the CA WoSign |
| Re: Incidents involving the CA WoSign | Percy | 02/09/16 00:49 | Just wrote a blog post on this. WoSign's secret purchase of StartCom; WoSign threatened legal actions over the disclosure http://www.percya.com/2016/09/wosigns-secret-purchase-of-startcom.html
|
| Re: Incidents involving the CA WoSign | Kurt Roeckx | 02/09/16 00:59 | The whole interaction isn't inspiring confidence.
Kurt |
| Re: Incidents involving the CA WoSign | Matt Palmer | 02/09/16 01:51 | On Fri, Sep 02, 2016 at 06:53:23AM +0000, Richard Wang wrote:On the contrary, the trustworthiness of CAs is *entirely* on topic. - Matt |
| RE: Incidents involving the CA WoSign | Richard Wang | 02/09/16 02:03 | You mean if a Chinese, a Chinese company own a USA CA, then the USA CA become un-trustworthiness?
I still think this topic is out of THE Topic - Incident.
From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosi...@lists.mozilla.org] On Behalf Of Matt Palmer Sent: Friday, September 2, 2016 4:51 PM |
| Re: Incidents involving the CA WoSign | Gervase Markham | 02/09/16 03:07 | Hi Richard,
On 01/09/16 04:04, Richard Wang wrote: > First, please treat WoSign as a global trusted CA, DON'T stamp as > China CA. We need a fair treatment as other worldwide CAs that I am > sure WoSign is not the first CA that have incident and not the > serious one; We are keen to treat WoSign as a global CA. It's certainly true that we would be having this discussion about any other global CA which had had such a list of incidents. However, it seems that you are advancing arguments - such as "we are Chinese; we can't be expected to fully understand standards written in English" - which ask for special consideration as a Chinese CA rather than a global CA. And, as others have pointed out in this thread, WoSign is very happy to be seen as a China CA for marketing purposes inside China. > Second, I supplement some data for your reference, please consider > those subscribers benefit, especially from many underdeveloped > countries that can't afford the too expansive SSL certificate. WoSign is not the only company to offer free SSL certificates. But also, this seems like arguing "we're too big for you to take action against us". > Third, I believe no one dare to say his system no bug, WoSign > admitted we have system bug that issued the wrong certificate and > fixed. This is why WoSign is the first CA in the world for > volunteering to "Require CT", we like to use CT mechanism to find out > the bug quickly and reduce the lost to minimum, That seems to me to be outsourcing your quality control to a set of third parties. I would say that any CA should have independent systems which check every certificate issued, before it is sent to the customer, for a long list of possible faults, and hold the certificate for manual review if any of those faults are found. That's what I'd do if I were running a CA, anyway. Saying "it's all in CT, so we can find problems after issuance" does not, to my mind, take misissuance appropriately seriously. > Thanks a million. (Just as a note, I would advise against using this English phrase, as it has acquired a sarcastic overtone in normal usage.) Gerv |
| Re: Incidents involving the CA WoSign | Gervase Markham | 02/09/16 03:10 | Hi Richard,
What information on that site is company-confidential? It all seems to point to public sources. Also, it would help if you pointed out what information is incorrect, so we can make sure we don't accidentally accept any information which is incorrect. Gerv |
| Re: Incidents involving the CA WoSign | Gervase Markham | 02/09/16 03:20 | On 31/08/16 19:13, Ryan Sleevi wrote:.... F) Distrust all certs with a notBefore date after date X, and require the CA to apply for re-inclusion to get the distrust lifted. (I.e. what happened to CNNIC.) It's theoretically possible for a CA to backdate notBefore, but if they are logging everything to CT, that will be noticable. And if they didn't log to CT, they would be breaking their promise to log everything to CT, which would be evidence of untrustworthiness. Gerv |
| RE: Incidents involving the CA WoSign | Richard Wang | 02/09/16 03:28 | Hi Gerv,
Forgive me my bad English, you know my English level. :-) It seems my bad English mislead you to wrong place, so I try to correct: (1) Don't care about the marketing word, it is an advertisement; (2) What I mean is please think about the current users if any action; 10% from government website, 6 customers is the top 10 eCommerce website in China; (3) We have quality control; I will send the blocking system screenshot to you since this mail list can't send. But we think CT is a good solution for mis-issued problem.
|
| RE: Incidents involving the CA WoSign | Richard Wang | 02/09/16 06:30 | -----Original Message-----We deleted the related two pages. Best Regards, Richard |
| Re: Incidents involving the CA WoSign | Peter Bowen | 02/09/16 07:55 | On Fri, Sep 2, 2016 at 12:37 AM, Richard Wang <ric...@wosign.com> wrote:Richard, Based on CT logs, I have seen certificates from the CAs below, all of which have "WoSign" in the name. Have you logged all certificates which are signed by these CAs and have a notBefore date of 20150101000000Z or later to the WoSign CT log? Do you also plan to submit these to at least one Google-operated log? Thanks, Peter |
| Re: Incidents involving the CA WoSign | Peter Bowen | 02/09/16 07:56 | (forgot the list)
CN=360 EV Server CA G2,O=WoSign CA Limited,C=CN CN=360 OV Server CA G2,O=WoSign CA Limited,C=CN CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN CN=CA 沃通 Email 客户端证书 G2,O=WoSign CA Limited,C=CN CN=CA 沃通 EV Pro 服务器证书 G2,O=WoSign CA Limited,C=CN CN=CA 沃通 EV 服务器证书 G2,O=WoSign CA Limited,C=CN CN=CA 沃通 IV 服务器证书 G2,O=WoSign CA Limited,C=CN CN=CA 沃通 OV Pro 服务器证书 G2,O=WoSign CA Limited,C=CN CN=CA 沃通 OV 服务器证书 G2,O=WoSign CA Limited,C=CN CN=CA 沃通免费SSL证书 G2,O=WoSign CA Limited,C=CN CN=CA 沃通免费SSL证书,O=WoSign CA Limited,C=CN CN=CA 沃通根证书,O=WoSign CA Limited,C=CN CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN CN=Certification Authority of WoSign,O=WoSign eCommerce Services Limited,C=CN CN=GZCA EV Server CA,OU=WoSign Trust Network,O=广州市电子签名中心,C=CN CN=IMS CA,O=WoSign CA Limited,C=CN CN=IMS Class 4 EV Pro Server CA,O=WoSign CA Limited,C=CN CN=IMS Class 4 EV Server CA,O=WoSign CA Limited,C=CN CN=IMS CT Monitor CA,O=WoSign CA Limited,C=CN CN=IMS EV 服务器根证书,O=WoSign CA Limited,C=CN CN=IMS 根证书,O=WoSign CA Limited,C=CN CN=WoSign CA Free SSL Certificate G2,O=WoSign CA Limited,C=CN CN=WoSign CA Free SSL Certificate,O=WoSign CA Limited,C=CN CN=WoSign Class 1 Client CA G2,O=WoSign CA Limited,C=CN CN=WoSign Class 1 Client CA,O=WoSign CA Limited,C=CN CN=WoSign Class 1 DV Server CA G2,O=WoSign CA Limited,C=CN CN=WoSign Class 1 DV Server CA,O=WoSign CA Limited,C=CN CN=WoSign Class 1 DV Server CA,O=WoSign eCommerce Services Limited,C=CN CN=WoSign Class 2 IV Server CA G2,O=WoSign CA Limited,C=CN CN=WoSign Class 2 IV Server CA,O=WoSign CA Limited,C=CN CN=WoSign Class 3 Code Signing CA,O=WoSign CA Limited,C=CN CN=WoSign Class 3 OV Pro Server CA G2,O=WoSign CA Limited,C=CN CN=WoSign Class 3 OV Pro Server CA,O=WoSign CA Limited,C=CN CN=WoSign Class 3 OV Server CA G2,O=WoSign CA Limited,C=CN CN=WoSign Class 3 OV Server CA,O=WoSign CA Limited,C=CN CN=WoSign Class 3 OV Server CA,O=WoSign eCommerce Services Limited,C=CN CN=WoSign Class 4 EV ECC Server CA,O=WoSign CA Limited,C=CN CN=WoSign Class 4 EV ECC SSL CA,O=WoSign CA Limited,C=CN CN=WoSign Class 4 EV Pro Server CA G2,O=WoSign CA Limited,C=CN CN=WoSign Class 4 EV Pro Server CA,O=WoSign CA Limited,C=CN CN=WoSign Class 4 EV Server CA G2,O=WoSign CA Limited,C=CN CN=WoSign Class 4 EV Server CA,O=WoSign CA Limited,C=CN CN=WoSign Class 4 EV SSL CA G2,O=WoSign CA Limited,C=CN CN=WoSign Premium Server Authority,O=WoSign\, Inc.,C=US CN=WoSign Server Authority,O=WoSign\, Inc.,C=US CN=WoSign SGC Server Authority,O=WoSign\, Inc.,C=US CN=中国湖南 EV 服务器证书,OU=WoSign Trust Network,O=东方新诚信数字认证中心,C=CN CN=沃通 Email 客户端根证书,O=WoSign CA Limited,C=CN CN=沃通 EV 服务器根证书,O=WoSign CA Limited,C=CN L=ShenZhen,ST=GuangDong,O=WoSign CT Monitor Intermediate,C=CN |
| Re: Incidents involving the CA WoSign | Peter Bowen | 02/09/16 08:21 | On Fri, Sep 2, 2016 at 8:11 AM, Richard Wang <ric...@wosign.com> wrote:
> Yes, we posted all 2015 issued SSL from WoSign trusted root. >Richard, It seems then there is a newly exposed bug. https://www.censys.io/certificates/e2665bb07940b5bee73145f47c99dcf5781edbe9d78f9cada8f1d702d5e340ad shows a certificate issued by your CA that has a notBefore in March 2015. It does not appear in the CT log. However another certificate with identical serial number and subject, but different Validity, does appear in the log. Are you aware of a bug where you were issuing certificates identical except for validity period? Thanks, Peter |
| Re: Incidents involving the CA WoSign | Andrew Ayer | 02/09/16 10:01 | Considering that:
1. WoSign has already been caught backdating the notBefore date, and 2. A certificate has already been found which they didn't log to CT despite their assertion that they had logged all certificates, I don't think relying on the notBefore date is a viable option. WoSign seems to have such a poor handle on their operations that I think it would be inevitable that someone would find a certificate in the wild with a notBefore date in the past that had not been disclosed. What action would Mozilla take if that happened? Regards, Andrew |
| Re: Incidents involving the CA WoSign | Kurt Roeckx | 02/09/16 10:27 | On Fri, Sep 02, 2016 at 10:00:28AM -0700, Andrew Ayer wrote:Can you please point to those that weren't logged? Kurt |
| Re: Incidents involving the CA WoSign | Kurt Roeckx | 02/09/16 10:30 | I of course didn't see the mail yet that mentions:
https://www.censys.io/certificates/e2665bb07940b5bee73145f47c99dcf5781edbe9d78f9cada8f1d702d5e340ad Kurt |
| Re: Incidents involving the CA WoSign | Percy | 02/09/16 10:45 | Some facts for Mozilla to consider. WoSign Root is never trusted by Apple https://support.apple.com/en-ca/HT205205 https://support.apple.com/en-ca/HT205204
However, all WoSign leaf certs are trusted on Apple devices because WoSign intermediate authority is signed by StartCom. |
| Re: Incidents involving the CA WoSign | Percy | 02/09/16 11:17 | On Friday, September 2, 2016 at 3:07:46 AM UTC-7, Gervase Markham wrote:WoSign in fact actively emphasis that it's a China CA and the global politics in marketing. WoSign claimed foreign CA might revoke certs to Chinese orgs due to politics and claimed that foreign CA will collect all users information. This is a typical marketing email they sent. https://pbs.twimg.com/media/CrXf7w3W8AA2zd7.jpg:large Translated below. ------- Dear friend: I'm *** from WoSign CA. WoSign is the first SSL cert company in China. Your website *****'s SSL cert is from Let's Encrypt, expiring at Oct, 2016. If you switch to WoSign before the expiration you can enjoy buy one year get one year free. The risks associated with foreign CA: 1. Cert revocation If foreign CA is influenced by politics and revoke certs for important Chinese organizations, the entire system will be paralyzed. 2. Information security risks If the website uses foreign certs, users need to send information to foreign servers in every visit. Time of the visit, the location of the visit, IP addresses, and the browser, frequency of the visits are all collected by foreign CA. This will leak commercial secrets and sensitive data, and is a very risky! 3. Server latency Foreign CA cannot provide 24*7 local support. Servers are overseas and affected by submarine cables, latency is 10X. If something happens to submarine cables, and cert revocation list is not accessible, important systems with foreign certs will be paralyzed. In 2012, there is a incident that submarine cables was broken. .... (contact info stuff) Best regards and thanks, WoSign CA Limited. |
| Re: Incidents involving the CA WoSign | Erwann Abalea | 02/09/16 12:15 | Le vendredi 2 septembre 2016 19:45:37 UTC+2, Percy a écrit :That's not WoSign's fault. It's really hard to communicate with Apple and their Root Program, it's a concern for other CAs as well. |
| Re: Incidents involving the CA WoSign | Matt Palmer | 02/09/16 15:53 | On Fri, Sep 02, 2016 at 09:01:47AM +0000, Richard Wang wrote:If the Chinese company or US CA are making legal threats to try and suppress disclosure of the ownership, and the Chinese company is running another CA with some pretty serious concerns over its trustworthiness, then yes, I'd be concerned over the trustworthiness of the US CA. Perhaps, but you didn't say "let's start a new thread", you said "mail me privately", indicating that you want to avoid public discussion of these issues of trustworthiness and fidelity. - Matt |
| Re: Incidents involving the CA WoSign | Matt Palmer | 02/09/16 16:25 | On Fri, Sep 02, 2016 at 07:55:36AM -0700, Peter Bowen wrote:Did you mean "non-Google-operated log"? I was under the impression that we didn't want everything being stuffed into just Google logs. - Matt -- I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course -- the computer industry didn't even foresee that the century was going to end. -- Douglas Adams |
| Re: Incidents involving the CA WoSign | Kurt Roeckx | 02/09/16 16:32 | On Sat, Sep 03, 2016 at 09:24:33AM +1000, Matt Palmer wrote:It's now only in their own log, it's useful to have it in at least 2 logs. Kurt |
| Re: Incidents involving the CA WoSign | Matt Palmer | 02/09/16 16:37 | On Fri, Sep 02, 2016 at 10:27:04AM +0000, Richard Wang wrote:I'm reminded of a line from an old episode of a rather crass TV show, which happens to be rather on-point: "we know you have a choice in airlines, and it looks like you made the wrong one". I think you've got the wrong impression of CT. The purpose of transparency isn't to help CAs outsource their quality control to the crowd; it's to allow easier identification of misissuance so that a more comprehensive case can be made to revoke a CA's trust status. If you mis-issue a cert and log it to CT, you don't get points for logging it to CT: you get dinged because *you misissued a cert*. - Matt |
| Re: Incidents involving the CA WoSign | Matt Palmer | 02/09/16 16:54 | Aaaah, I see. I didn't realise they'd stuffed them in their own log.
Thanks for the clarification. - Matt |
| Re: Incidents involving the CA WoSign | Peter Bowen | 02/09/16 17:19 | On Fri, Sep 2, 2016 at 5:04 PM, Richard Wang <ric...@wosign.com> wrote:
> From the screenshot, we know why Percy hate WoSign so deeply, we know he represent which CA, everything is clear now. Richard, With all due respect, many of the people who participate in this dev-security-policy group work for companies that operate publicly trusted certificate authorities. This should not be surprising to anyone in this group. Some contribute to this group in their personal capacity (such as I'm doing now, using my personal email address) while others contribute in their capacity as a company representative. This is not new -- the archives of this group are public and you will see this has been true for years. What is important is the content of the contribution that is valuable, not the sender. If the contribution is factual information, then the contributor should not matter nor should any perceived underlying reason for the contribution. If the screenshot has been modified to contain content that was not in the original email or the whole thing was forged, then that is relevant information to know. The same is true for the documents referenced elsewhere in this thread. If people are posting forgeries, then please let this group know, so they are not given credence. Thanks, Peter |
| unk...@googlegroups.com | 02/09/16 17:35 | <This message has been deleted.> | |
| unk...@googlegroups.com | 02/09/16 21:57 | <This message has been deleted.> | |
| unk...@googlegroups.com | 02/09/16 22:05 | <This message has been deleted.> | |
| Re: Incidents involving the CA WoSign | Gervase Markham | 03/09/16 01:07 | On 02/09/16 18:00, Andrew Ayer wrote:A fair question. I think one would need to have the consequences of further issues mapped out beforehand. Gerv |
| unk...@googlegroups.com | 03/09/16 01:17 | <This message has been deleted.> | |
| Re: Incidents involving the CA WoSign | Gervase Markham | 03/09/16 01:29 | On 02/09/16 16:21, Peter Bowen wrote:https://crt.sh/?id=30326062 appears in the log; I assume that's the cert you mean. Well, the _period_ is the same; the start and end dates are offset by an identical amount ;-) Gerv |
| Re: Incidents involving the CA WoSign | Gervase Markham | 03/09/16 01:30 | On 02/09/16 16:21, Peter Bowen wrote: > It seems then there is a newly exposed bug. https://crt.sh/?id=30326062 appears in the log; I assume that's the cert > Are you aware of a bug where you were issuing certificates identical |
| Re: Incidents involving the CA WoSign | Kurt Roeckx | 03/09/16 02:46 | That offset being 37 seconds.
I've submitted it to Google's aviator log. Kurt |
| Re: Incidents involving the CA WoSign | Kurt Roeckx | 03/09/16 04:07 | |
| Re: Incidents involving the CA WoSign | Andy Ligg | 03/09/16 10:31 | You are completely wrong!
StartCom not only have office in Israel and in China, but also have office in UK, welcome to visit our UK office: T05, Castlemead, Lower Castle Street, Bristol, BS1 3AG, UK. And We will setup office in Bilbao, Spain in this month, Inigo Barreia is the general manager of StartCom Europe that Eddy announced this in CABF mail list. Regards, Andy On 2016/9/3 16:17, Percy wrote: > I did an analysis of the new StartCom website and determined that it was designed and implemented solely in China. http://www.percya.com/2016/09/startcom-operated-solely-in-china.html I'm further concerned with the security of "StartResell - Setup your own website, start to sell your brand SSL certificate to your customers". Details here > _______________________________________________ > dev-security-policy mailing list > dev-secur...@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy |
| unk...@googlegroups.com | 03/09/16 11:03 | <This message has been deleted.> | |
| Re: Incidents involving the CA WoSign | Ryan Sleevi | 03/09/16 12:51 | Percy,
As I suggested in the other thread, this does not seem a productive or fruitful line of inquiry, nor does it seem relevant to the issue at hand, nor does it seem to be done respectfully. That is, the extent of the country of origin of a CA is not itself a fundamental issue of trust, nor should translation errors be. I agree that there's a line where elements such as actively misleading the public become a matter of public concern, but let's try not to suggest there is something wrong with being from a particular country, nor that it represents proof of wrongdoing. I believe we are on the cusp of crossing a line here, and would love if we could focus on the technical and factual issues, without attempting to imply fundamental guilt by association or pseudo-phrenological analysis of speech patterns to show some form of wrongdoing. |
| unk...@googlegroups.com | 03/09/16 13:03 | <This message has been deleted.> | |
| Re: Incidents involving the CA WoSign | Ryan Sleevi | 03/09/16 13:32 | Trust me, the disclosure was not buried, and the factual details are being sorted. However, it would be better for the tone and focus of the thread that we make sure to focus on the factual elements, which, as you note, can be publicly obtained easily, than to try to imply there's something wrong with poor translations.
In any event, we have significant information here to evaluate, ranging from the original issues to matters such as the incomplete disclosure of issues certificates, and we should be focusing on those elements, the expectations under the Mozilla policies, and what responses that best balance the need of Mozilla users (relying parties) and the Internet at large. For example, a key question remains is: Can/Should WoSign be trusted after these incidents? If so, is that trust unconditional, or do there need to be improvements, and in what form? If WoSign can no longer be trusted, what steps should be taken to reflect that across Mozilla products, in a way that, ideally, avoids conditioning users, particularly in the emerging markets seemingly most served by WoSign, that TLS errors are OK to ignore? This is where understanding options is important for the discussion. |
| Re: Incidents involving the CA WoSign | Peter Bowen | 03/09/16 14:18 | Richard,
Can you also please check the following two certificates? It looks like they were missed when logging all the 2015 certs. https://www.censys.io/certificates/c04748c89de2bf73d56b601cf61db32953dfeca5ef62e0281d326c4ce9035fe2 https://www.censys.io/certificates/d99309f071141454f805c13551a827aa116bb53daefd8609e296c06b0dcdf720 Additionally, it looks like there may be a gap in logging for 2016. For example, https://www.censys.io/certificates/06797f8095ba4d9c9ec5b9475cff7df3b258069cc89f303cd91dc329eaf0c08f does not show up in any log. Thanks, Peter On Fri, Sep 2, 2016 at 8:31 AM, Richard Wang <ric...@wosign.com> wrote: > We will check this tomorrow. > Now our time is 23:32 at night. > > > Regards, > > Richard > >> It seems then there is a newly exposed bug. >> Are you aware of a bug where you were issuing certificates identical>> Thanks, >> Peter |
| RE: Incidents involving the CA WoSign | Richard Wang | 03/09/16 19:27 | Sorry, I am busy with incident report that up to 20 pages.
It will be released soon today. Two reports: one for the incident 0-2, another one is for incident X including you point out one. Best Regards, Richard
|
| Re: Incidents involving the CA WoSign | Matt Palmer | 03/09/16 21:14 | On Sat, Sep 03, 2016 at 02:18:44PM -0700, Peter Bowen wrote:Our of curiosity, is anyone keeping a tally of the number of times WoSign has said, "yep, they're all logged now", only to have more unlogged certificates turn up? This is starting to feel like a bit of a repeat of DigiNotar, insofar as a CA doesn't appear to have a clear record of all issuance. - Matt |
| Re: Incidents involving the CA WoSign | Peter Bowen | 03/09/16 21:51 | On Thu, Sep 1, 2016 at 9:00 AM, Ryan Sleevi <ry...@sleevi.com> wrote:
> On Wed, August 31, 2016 10:09 pm, Richard Wang wrote: >> Thanks for your so detail instruction. >> Yes, we are improved. The two case is happened in 2015 and the mis-issued >> certificate period is only 5 months that we fixed 3 big bugs during the 5 >> months. >> For CT, we will improve the posting system. > > I had a little trouble parsing this, but let's make sure we're on the same > page. I've continued Gerv's original numbering: > > Incident -2: 16 January 2015 - 5 March 2015 - 1,132 BR-violating SHA-1 > certificates ( https://cert.webtrust.org/SealFile?seal=2019&file=pdf ) > Incident -1: April 4, 2015 - WoSign is informed it's routinely violating > its CPS for issued certificates ( > https://www.wosign.com/policy/wosign-policy-1-2-10.pdf ) > Incident X: April 9 - April 14, 2015 - 392 duplicate serial numbers > Incident 0: April 23, 2015 - 72 potentially dangerous port-validated > certificates > Incident 1: June, 2015 - 33 unvalidated base-domain from sub-domain > certificates > Incident 2: July, 2016 - At least 1 backdated SHA-1 certificate (was this > the only one? I wasn't clear from > https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/gksYkOTLCwAJ > ) It was brought to my attention that there is another incident. WoSign issued at least two certificates that have subject public keys which are for the SM2 algorithm. SM2 is an elliptic curve based algorithm but it does not use the US NIST P-256, P-384, or P-512 curves. The CA/Browser Forum Baseline Requirements and Mozilla CA Certificate Maintenance Policy both require that only these three curves be used for elliptic curve keys. In addition to including subjects keys using unapproved parameters, it seems these each share their serial number with another certificate for the same subject. So these are two more cases of duplicate serial numbers for different content. The log entries for the SM2 certificates are https://ctlog.wosign.com/ct/v1/get-entries?start=109239&end=109240; crt.sh doesn't have them. The matching serial numbers are https://crt.sh/?id=30613201 and https://crt.sh/?id=30613200. Thanks, Peter |
| RE: [FORGED] Re: Incidents involving the CA WoSign | Peter Gutmann | 03/09/16 23:21 | Peter Bowen <pzb...@gmail.com> writes: >It was brought to my attention that there is another incident. This is great stuff, it's like watching a rerun of Diginotar. Definitely the Peter. |
| RE: Incidents involving the CA WoSign | Richard Wang | 04/09/16 01:07 | https://www.censys.io/certificates/06797f8095ba4d9c9ec5b9475cff7df3b258069cc89f303cd91dc329eaf0c08f
This certificate is issued at July 1st 2016, that our promised SCT data is July 5th, 2016.
Can you also please check the following two certificates? It looks like they were missed when logging all the 2015 certs. |
| Re: Incidents involving the CA WoSign | Eddy Nigg | 04/09/16 01:52 | On 09/03/2016 11:02 PM, Percy wrote:
> I agree completely that we shouldn't imply fundamental guilt by > association. However, WoSign threatened legal actions against Itzhak > Daniel's disclosure compiled purely from public sources. I just want to > make sure the disclosure was not buried after the content was taken down. I don't want to extend this discussion unnecessarily, but as a side note you don't know which agreements this employee has signed with StartCom and/or WoSign and hence you can't make a judgement on it either. Lets leave this to the professionals dealing with it. (Of course your copying and distributing of the content originally published by him can be also used against him, just some food for thought) As such, there can be many more things you don't really know regarding this or other business transactions. And probably this is the wrong forum for such matters in any case. -- Regards Signer: Eddy Nigg, Founder StartCom Ltd. <http://www.startcom.org> XMPP: star...@startcom.org <xmpp:s...@startcom.org> |
| Re: Incidents involving the CA WoSign | Gijs Kruitbosch | 04/09/16 02:05 | So if I understand correctly, you've published all certificates issued
in 2015 to CT, and any cert with a notBefore of/after July 5th 2016. Is that correct? As noted in https://groups.google.com/d/msg/mozilla.dev.security.policy/Q3zjv95VhXI/p40n2Zv6DAAJ , this thread has turned up https://crt.sh/?id=29884704 which was mississued and had a notBefore of June 23, 2016. In addition to that, there was discussion about backdated SHA1 certs ( https://groups.google.com/d/msg/mozilla.dev.security.policy/KNuiSDVl7qc/z8rPfqX7DAAJ , https://bugzilla.mozilla.org/show_bug.cgi?id=1293366 ) that were issued in 2016 but backdated to 2015. When explicitly asked if you were publishing all the certs with a notBefore after 20150101000000Z in https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/FNYETUsnDQAJ you responded with: It has already been established that you issued certificates in 2016 that were backdated to 2015, and so we have no reason to even assume that when you say "all 2015 issued SSL [certs]", that this will include any other such hypothetical backdated certs. It has also been established that certs were mississued in 2016 outside of the July 5th and later period. So it seems that it would be in your own interest to be as transparent as possible for the 2016 certs as well, and to simply log any and every cert with a notBefore after 20150101000000Z. Why have you not done so? ~ Gijs |
| RE: Incidents involving the CA WoSign | Richard Wang | 04/09/16 02:51 | Hi all,
We finished the investigation and released the incidents report today: https://www.wosign.com/report/wosign_incidents_report_09042016.pdf This report has 20 pages, please let me if you still have any questions, thanks. This report is just for Incident 0-2, we will release a separate report for another incident X soon. Best Regards, Richard Wang CEO WoSign CA Limited -----Original Message----- From: Gervase Markham [mailto:ge...@mozilla.org] Sent: Wednesday, August 24, 2016 9:08 PM To: mozilla-dev-s...@lists.mozilla.org Cc: Richard Wang <ric...@wosign.com> Subject: Incidents involving the CA WoSign Dear m.d.s.policy, Several incidents have come to our attention involving the CA "WoSign". Mozilla is considering what action it should take in response to these incidents. This email sets out our understanding of the situation. Before we begin, we note that Section 1 of the Mozilla CA Certificate Enforcement Policy[0] says: "When a serious security concern is noticed, such as a major root compromise, it should be treated as a security-sensitive bug, and the Mozilla Policy for Handling Security Bugs should be followed." It is clear to us, and appears to be clear to other CAs based on their actions, that misissuances where domain control checks have failed fall into the category of "serious security concern". Incident 0 ---------- On or around April 23rd, 2015, WoSign's certificate issuance system for their free certificates allowed the applicant to choose any port for validation. Once validation had been completed, WoSign would issue certificates for that domain. A researcher was able to obtain a certificate for a university by opening a high-numbered port (>50,000) and getting WoSign to use that port for validation of control. This problem was reported to Google, and thence to WoSign and resolved. Mozilla only became aware of it recently. * Before the recent passage of Ballot 169 in the CAB Forum, which limits the ports and paths which can be used, the Baseline Requirements said that one acceptable method of domain validation was "Having the Applicant demonstrate practical control over the FQDN by making an agreed‐upon change to information found on an online Web page identified by a uniform resource identifier containing the FQDN". This method therefore did not violate the letter of the BRs. However, Mozilla considers the basic security knowledge that ports over 1024 are unprivileged should have led all CAs not to accept validations of domain control on such ports, even when not documented in the BRs. * The misissuance incident was not reported to Mozilla by WoSign as it should have been (see above). * This misissuance incident did not turn up on WoSign's subsequent BR audit[1]. Incident 1 ---------- In June 2015, an applicant found a problem with WoSign's free certificate service, which allowed them to get a certificate for the base domain if they were able to prove control of a subdomain. The reporter proved the problem in two ways. They accidentally discovered it when trying to get a certificate for med.ucf.edu and mistakenly also applied for www.ucf.edu, which was approved. They then confirmed the problem by using their control of theiraccount.github.com/theiraccount.github.io to get a cert for github.com, github.io, and www.github.io. They reported this to WoSign, giving only the Github certificate as an example. That cert was revoked and the vulnerability was fixed. However recently, they got in touch with Google to note that the ucf.edu cert still had not been revoked almost a year later. * The lack of revocation of the ucf.edu certificate (still unrevoked at time of writing, although it may have been by time of posting) strongly suggests that WoSign either did not or could not search their issuance databases for other occurrences of the same problem. Mozilla considers such a search a basic part of the response to disclosure of a vulnerability which causes misissuance, and expects CAs to keep records detailed enough to make it possible. * This misissuance incident was not reported to Mozilla by WoSign as it should have been (see above). * This misissuance incident did not turn up on WoSign's subsequent BR audit[1]. Incident 2 ---------- In July 2016, it became clear that there was some problems with the StartEncrypt automatic issuance service recently deployed by the CA StartCom. As well as other problems it had, which are outside the scope of this discussion, changing a simple API parameter in the POST request on the submission page changed the root certificate to which the resulting certificate chained up. The value "2" made a certificate signed by "StartCom Class 1 DV Server CA", "1" selected "WoSign CA Free SSL Certificate G2" and "0" selected "CA 沃通根证书", another root certificate owned by WoSign and trusted by Firefox. Using the value "1" led to a certificate which had a notBefore date (usage start date) of 20th December 2015, and which was signed using the SHA-1 checksum algorithm. * The issuance of certificates using SHA-1 has been banned by the Baseline Requirements since January 1st, 2016. Browsers, including Firefox, planned to enforce this[2] by not trusting certs with a notBefore date after that date, but in the case of Firefox the fix had to be backed out due to web compatibility issues. However, we are considering how/when to reintroduce it, and CAs presumably know this. * The issuance of backdated certificates is not forbidden, but is listed in Mozilla's list of Problematic Practices[3]. It says "Minor tweaking for technical compatibility reasons is accepted, but backdating certificates in order to avoid some deadline or code-enforced restriction is not." * WoSign deny that their code backdated the certificates in order to avoid browser-based restrictions - they say "this date is the day we stop to use this code"[4]. If that is true, it is not clear to us how StartCom came to deploy WoSign code that WoSign itself had abandoned. * It seems clear from publicly available information that StartCom's issuance systems are linked to WoSign's issuance systems in some way. Nevertheless, it should not have been possible for an application for a cert from StartCom to produce a cert signed by WoSign. * This misissuance incident was not reported to Mozilla by WoSign as it should have been. Taking into account all these incidents and the actions of this CA, Mozilla is considering what action to take. Your input is welcomed. Gerv, Kathleen and Richard [0] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/enforcement/ [1] https://cert.webtrust.org/SealFile?seal=2019&file=pdf [2] https://bugzilla.mozilla.org/show_bug.cgi?id=942515 [3] https://wiki.mozilla.org/CA:Problematic_Practices#Backdating_the_notBefore_date [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1293366 |
| Re: Incidents involving the CA WoSign | Kurt Roeckx | 04/09/16 05:53 | On Sun, Sep 04, 2016 at 09:49:25AM +0000, Richard Wang wrote:Hi Richard, About incident 0 in the report, it says: We investigated each certificates to think it is no necessary to revoke these certificates. Can you please explain how you investigated those and why you think it's not needed to revoke them? I also don't understand what you're trying to explain in 2.2. I think what it says is that the procedure used to be: - Someone requests a certificates - You do validation tests on an initial list of hostnames - Before he actually submits his request he can modify the list of hostnames - You don't do any validation tests anymore - You issue the certificate - Someone manually checks it because github is on the list of domains that needs manual review - The manual review notices that only part of it is validated - The manual review then asks for revocation - The revocation process needs an other person to review it - It informs that subscriber that it's been revoked - The real revocation happens later by a 3rd person Is that an accurate description of the problem? I see 2 problems with this: - There was a bug that the list of hostnames could be modified without revalidating them, and this was fixed on August 10, 2015. - The manual review only happens after the certificate is already issued, instead of before issuing it. In 2.3 you describe that if you sign up for "wosogn.com" (I guess you mean wosign.com) you get "www.wosign.com" for free and don't validate it. But the screenshot of the misissued domains are all without the "www" prefix. That is, "www.wosign.com" would be validated but "wosign.com" wasn't validated. My understanding is that if you sign up for "foo.example.com" you get "example.com" too without validating it, and it's not related to "www". You indicate that this was also fixed on August 10, 2015, but then still changed something on August 27, 2016, and it's not clear to me what you changed. In 3.2 you describe something about StartCom and WoSign using the same script but use a different ID. You describe that there was a bug you that you deleted. I assume that this is that the POST doesn't allow to set the caID anymore. But the document does not describe why that results in backdated SHA-1 certificates at all. I see several issues with this: - It allowed to use a different CA than it should - Software that was supposed to be stopped using was still able to issue certificates - The software for some reason uses the date it was supposed to be stopped from using, instead of the current date. Was this software modified for some reason? And from what I understand, only the first of those is fixed. You also describe that it's going to be replaced by ACME, but I don't see how this relevant or would prevent any of this. (There is also a SAH1 instead of SHA1 typo.) PS: I'm unsure why you cross out all those Mozilla, Google and WoSign address. I can perfectly recoginize the person in all those cases. If you really want to cross them out, please do it properly. Kurt |
| Re: Incidents involving the CA WoSign | Kurt Roeckx | 04/09/16 06:01 | On Sun, Sep 04, 2016 at 10:05:11AM +0100, Gijs Kruitbosch wrote:>From the document they send, they plan to submit all those from 2016 too, but it will take some time. Kurt |
| Re: Incidents involving the CA WoSign | Peter Bowen | 04/09/16 07:44 | On Sat, Sep 3, 2016 at 10:11 PM, Richard Wang <ric...@wosign.com> wrote:
> It is posted, just Peter not find it that I told him the Log id. Richard, Thank you for providing the log ids. I am glad to see these are now logged, but I will point out the log timestamps for these two certificates are both later than the time of the email saying all were logged. I did not find them because they were not logged when I was looking. Thanks, Peter > We are also checking system again to double check if we missed some. > > Please be patient for our full 20 pages report, thanks, > > Regards, > > Richard > >>> Can you also please check the following two certificates? It looks >> Our of curiosity, is anyone keeping a tally of the number of times WoSign |
| Re: Incidents involving the CA WoSign | Andrew Ayer | 04/09/16 09:40 | On Sat, 3 Sep 2016 21:50:51 -0700The two SM2 certificates can be downloaded here: https://certspotter.com/api/v0/certs/ab95ba70f1591c56850255f11393dbb63540871b797f6e55665e1a0e67fd977b.pem https://certspotter.com/api/v0/certs/bb9afdaee1f4a21a4898f18e34a7801908d3c7d911a98463b6be92c40e791f8d.pem Regards, Andrew |
| Re: Incidents involving the CA WoSign | Kurt Roeckx | 04/09/16 10:12 | On Sun, Sep 04, 2016 at 02:53:01PM +0200, Kurt Roeckx wrote:So I'm going to try to understand everything in the document, with time stamps I can find in the document. For order 84997, https://crt.sh/?id=29647048 On June 10, 2015, UTC+8: - ??: Order 84997 is started (11:17:03??) - 11:43:45: schrauger.github.io validation started? - 11:43:48: schrauger.github.io validation passed? - 11:44:15: schrauger.github.com validation started? - 11:44:17: schrauger.github.com validation passed? - ??: Subscriber added github.com, github.io, www.github.io? - 11:47:05: Subscriber clicked the "submit request" button - 11:49:46: It went to some PKI system? - 13:42:44: The notBefore date of the certificate - 14:03:35: The certificate was generated? - 20:43:00: Subscriber downloaded the certificate On June 11, 2015, UTC+8: - 09:38: A Mail was send to Validation Team A and B, about order 85295 and 85295. (At least that's what I understand, it's a mail 3 people.) - 09:49:21: Validation Team A said to revoke - 09:51:24: Validation Team B approved the revokation request. - 10:30:53: A mail is send to the subscriber that it's been revoked? - 10:33:08: The PKI admin approved the revocation - 10:47:55: The PKI system said the revocation was succesful Order 85295, https://crt.sh/?id=29805567, On June 10, 2015, UTC+8: - 22:39:54: Subscriber clicked the "submit request" button - 23:03:13: The notBefore date of the certificate - 23:34:55: The certificate was generated? On June 11, the same as for the previous one. For order 85391, on June 11, 2015, UTC+8: - 06:34:58: schrauger.github.io validation started - 06:35:02: schrauger.github.io was validated. - 06:35:25: schrauger.github.com validation started - 06:35:28: schrauger.github.com was validated. - ??: Subscriber added github.com, www.github.com, github.io, www.github.io? - 06:36:47: Subscriber clicked the "submit request" button - 06:39:31: It went to the PKI system? - 09:01: Someone sends a mail to 2 people, making a reference to 2 orders from the same account, and that they might not have been properly validated. So my understanding is that each time it went to the manual validation, but that the first 2 times people said ok and that only the 3rd time someone noticed that the other hostnames weren't validated. Is that correct? Kurt |
| Re: Incidents involving the CA WoSign | Kurt Roeckx | 04/09/16 10:34 | On Sun, Sep 04, 2016 at 09:49:25AM +0000, Richard Wang wrote:In section 2.2 you explain that there is a mail at 9:01 and 9:38, where I think the one from 9:38 asks for the revocation of the certificates by e-mail. Is there a procedure in place that those e-mails get acted upon? Why is this done via e-mail and not some some other system that can make sure it's being followed up? Kurt |
| Re: [FORGED] Re: Incidents involving the CA WoSign | Eddy Nigg | 05/09/16 00:31 | On 09/04/2016 09:20 AM, Peter Gutmann wrote:.....says the audience on the backbenches gleefully.... ....but no, what are you talking about?? Even though some nasty and undesired errors happened here, its in no comparison to what happened at Diginotar which basically lost control over the CA. |
| Re: Incidents involving the CA WoSign | Gervase Markham | 05/09/16 00:55 | Hi Eddy,
On 04/09/16 09:51, Eddy Nigg wrote:If he has signed an agreement with StartCom and/or WoSign which prevents him from pointing out, after leaving employment, facts which are in the public domain, then I suggest that those clauses in the agreement are an unconscionable[0] restriction on his freedoms and you should not be enforcing them. If something in what he has said is confidential, please point it out to me (by private email if you prefer) and I will adjust my attitude to that particular piece of information. Gerv [0] https://en.wikipedia.org/wiki/Unconscionability |
| RE: [FORGED] Re: Incidents involving the CA WoSign | Peter Gutmann | 05/09/16 01:10 | Eddy Nigg <eddy...@startcom.org> writes: Well, it doesn't exactly paint the best picture of a competently-run CA, same Hey look, I don't have anything personal against WoStartSignCom, my views on Peter. |
| Re: Incidents involving the CA WoSign | Rob Stradling | 05/09/16 05:19 | On 04/09/16 17:40, Andrew Ayer wrote:x509lint was segfaulting when crt.sh tried to add the SM2 certs to its database. crt.sh has them now: https://crt.sh/?id=30773511 https://crt.sh/?id=30773585 Kurt, please take a look at this PR: https://github.com/kroeckx/x509lint/pull/13 -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online Office Tel: +44.(0)1274.730505 Office Fax: +44.(0)1274.730909 www.comodo.com COMODO CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by COMODO for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. |
| unk...@googlegroups.com | 05/09/16 13:37 | <This message has been deleted.> | |
| unk...@googlegroups.com | 05/09/16 15:16 | <This message has been deleted.> | |
| Re: Incidents involving the CA WoSign | Peter Bowen | 05/09/16 15:58 | On Wed, Aug 24, 2016 at 6:08 AM, Gervase Markham <ge...@mozilla.org> wrote:Gerv and team, In addition to the direct impact, I note that WoSign is the subject of cross-signatures from a number of other CAs that chain back to roots in the Mozilla program (or were in the program). For example: Cross issued to /C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\xE9\x80\x9A\xE6\xA0\xB9\xE8\xAF\x81\xE4\xB9\xA6 by /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority expiring 2019-12-31T23:59:59Z Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign by /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority expiring 2019-12-31T23:59:59Z Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign G2 by /C=PL/O=Unizeto Sp. z o.o./CN=Certum CA expiring 2020-11-02T01:01:59Z Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign G2 by /C=PL/O=Unizeto Sp. z o.o./CN=Certum CA expiring 2020-11-02T01:59:59Z Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign by /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC expiring 2019-06-24T19:06:30Z Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign by /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Object expiring 2019-07-09T18:40:36Z I have two questions: 1) Should any action be taken against the operators of these CAs due to the incidents listed? My view is that the correct answer is "no, unless it is demonstrated that the CA operator had knowledge of undisclosed incidents", as I believe that the issuer should be able to rely upon the audit reports and continued inclusion in the Mozilla trust store as prima facie evidence of compliance with Mozilla policy. 2) If Mozilla decides to take action that results in WoSign no longer being directly trusted, do those CAs with unrevoked unexpired cross-signs bear responsibility for any future mis-issuance by WoSign? My view is the answer is yes, as WoSign would be a subordinate CA rather than a peer being cross-signed. The Mozilla policy makes it clear that "All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to a certificate included in Mozilla’s CA Certificate Program, MUST be operated in accordance with Mozilla’s CA Certificate Policy". Thanks, Peter |
| unk...@googlegroups.com | 05/09/16 16:15 | <This message has been deleted.> | |
| RE: Incidents involving the CA WoSign | Richard Wang | 05/09/16 18:39 | The first email is the guy found the problem, the second email is asking for revocation to related person that he/she can't do it.
Sure, we have CMS (Certificate Management System), every order is processed in the system by the proper duty person. See Figure 8, the top menu is Order Info, personal info, proof documents, processing log, order remark, domain validation log That we just display the menu "processing log" in the screenshot to show all process event like shipping tracking system. I am sorry that we are busy with the second report that maybe can't reply all inquiry email. Some question will be replied in the second report.
|
| Re: Incidents involving the CA WoSign | Henri Sivonen | 05/09/16 23:20 | On Sun, Sep 4, 2016 at 12:49 PM, Richard Wang <ric...@wosign.com> wrote: > This report has 20 pages, please let me if you still have any questions, thanks.In the table on page 13, line 6 looks different from the others. Should that line be in the table on page 14 instead? -- Henri Sivonen hsiv...@hsivonen.fi https://hsivonen.fi/ |
| Re: Incidents involving the CA WoSign | Gervase Markham | 05/09/16 23:23 | On 06/09/16 07:20, Henri Sivonen wrote:Also line 2? Gerv |
| Re: Incidents involving the CA WoSign | Kurt Roeckx | 06/09/16 01:56 | On 2016-09-05 22:37, Percy wrote:
> In page 11, you mentioned that "System blocked many illegal request every day, the following screen shot is the reject order log", in which you attached a log with Google, Microsoft, QQ domains. Those domains are rejected because of the top domain whitelist. Does that mean those attempts passed your automatic validation and were only rejected because of the whitelist? > > And as Kurt pointed out, for the flag, why does it happen only AFTER the certificate is already issued? Since you specifically have the whitelist for topdomains, you would know mis-used of such certs have particularly high impacts. I think that was a misunderstanding on my part. In the other e-mail I send I came to the conclusion that what probably happened was that they were flagged for manual review and approved. And so that there really is something wrong with the manual review process. Their solution to that was to move "github.com" from manual review to reject. The document really is hard to follow and seems to more concentrate on defending themselves, how fast they are and show that they do prevent some certificates from being issued. What I'm looking for is just the facts of what happened, why this happened, what is being done to prevent this in the future. My current understanding of what happened with the github.com case is: - It's possible that the list of hostnames is changed between the point of validation and the user pressed the "submit request" button. This change can be caused by both the software adding other hostnames itself, or the user adding new hostnames. I understand that when the user pressed the button a CSR is generated. - Once the CSR is generated, it's trusted that the list of hostnames in it have been validated, which might not be the case. - Because gibhub.com is in the list of hostnames that needs to be checked, it's flagged for review. - The manual review just approved it. What I think is wrong: - There is no check that the hostnames have been validated after the CSR has been generated. - Too many github.com certificates get flagged for manual review causing the reviewers to not look careful and just approve it. The fix they used is to reject "github.com" itself instead of flagging it for review. They should probably also flag less things for review (probably after talking to github.) Looking at Figure 13, the first entry says it has 4 SANs in it, but claims only 1 was validated and 1 was not validated, what happened to the other 2? Kurt |
| RE: Incidents involving the CA WoSign | Richard Wang | 06/09/16 02:49 | Thanks for your comment.
For Github case: 1. what happened: issued the certificate that included un-validated domain, and found out this mistake in the next day review, and revoked this certificate. 2. why this happened: this is bug as you described, and due to many orders need to review manually, so the first day missed and issued; the next day second same order come and found out, then rejected. 3. what is being done to prevent this in the future: We fixed this bug, and we changed the github setting from "flag" to "reject" for class 1 and class 2 order to reduce the manual check mistake. For Figure 13, this subscriber finished the domain control validation for domain: netwi.ru, this means the domain: mail. netwi.ru and mx.netwi.ru are validated; and it finished the website control validation for domain: mail.idisk.su, so only 1 domain mx.idisk.su not validated. We can past the process log screenshot for this order in the next report that still preparing.
|
| Re: Incidents involving the CA WoSign | Rob Stradling | 06/09/16 03:12 | Hi Peter. Since you mentioned Comodo's cross-certification of the
"Certification Authority of WoSign" root, we thought we should respond... On 05/09/16 23:58, Peter Bowen wrote: <snip> > Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification AuthorityThis cross-certificate [1] is currently unexpired and unrevoked. However... The "UTN - DATACorp SGC" root was removed from NSS last year [2]. "UTN - DATACorp SGC" was also cross-certified by the "AddTrust External CA Root" root [3], but we revoked the cross-certificates in December 2015, invited Mozilla to add them to OneCRL [4] and disclosed them as revoked to Salesforce [5]. (I don't know why Mozilla haven't yet added these to OneCRL. A few weeks ago I marked Bug 1233408 as blocking Bug 1155095 in the hope that it would get noticed!) These two cross-certificates [6] are currently unexpired and unrevoked. However... The "UTN-USERFirst-Object" root is only enabled for the Code Signing trust bit in NSS, which AIUI has been effectively dead for about a year [7]. There are 2 cross-certs (currently unconstrained and unrevoked) issued by "AddTrust External CA Root" to "UTN-USERFirst-Object" [8]. However, the cross-certs issued to WoSign [6] are EKU-constrained to Code Signing / Time Stamping. <snip> > 1) Should any action be taken against the operators of these CAs dueComodo only learned of these incidents after they had been publicly disclosed. <snip> > 2) If Mozilla decides to take action that results in WoSign no longerComodo will continue to work to ensure that Mozilla's trust decisions are respected. [1] https://crt.sh/?id=3223853 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1208461 [3] https://crt.sh/?q=UTN+-+DATACorp+SGC&iCAID=1 [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1233408 [5] https://crt.sh/mozilla-disclosures#revoked [6] https://crt.sh/?q=Certification+Authority+of+WoSign&iCAID=1395 [7] https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg02409.html [8] https://crt.sh/?q=UTN-USERFirst-Object&iCAID=1 |
| Re: Incidents involving the CA WoSign | Peter Gutmann | 06/09/16 06:59 | Matt Palmer <mpa...@hezmatt.org> writes: >Our of curiosity, is anyone keeping a tally of the number of times WoSign has We apologise for the fault in the CA. Those responsible have been sacked. Mynd Peter. |
| Re: [FORGED] Re: Incidents involving the CA WoSign | Peter Gutmann | 06/09/16 07:11 | Peter Bowen <pzb...@gmail.com> writes: >In addition to the direct impact, I note that WoSign is the subject of cross- This is incredible, it's like a hydra. Do the BRs say anything about this Why would a public CA even need cross-certification from other CAs? Peter. |
| Re: Incidents involving the CA WoSign | Jakob Bohm | 06/09/16 07:18 | HØHØHØ *
*=The standard way of writing a derisive laughter in response to a bad unfunny joke. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded |
| Re: [FORGED] Re: Incidents involving the CA WoSign | Rob Stradling | 06/09/16 07:21 | On 06/09/16 15:10, Peter Gutmann wrote:
<snip> > Why would a public CA even need cross-certification from other CAs?To inherit trust on legacy platforms that don't have an automatic root update mechanism. |
| Re: [FORGED] Re: Incidents involving the CA WoSign | Jakob Bohm | 06/09/16 07:30 | On 06/09/2016 16:10, Peter Gutmann wrote:The BRs say that if the cross-certified CA is deemed no longer compliant, the cross-signing CAs must retract their cross-signature or be deemed non-compliant themselves. This was already explained elsewhere in this discussion. Because the delay from starting up a new trustworthy CA until all deployed client software has been upgraded to trust that new CA is unbearably long (bordering on infinite as the required support percentage approaches 100.000000000%). Hence it is common for new CAs (other than the now historic RSADSI CA) to acquire cross-signatures from established (or even defunct) CAs. This is exacerbated by the fact the at least one Browser vendor (Microsoft) no longer distributes the full list of trusted CAs with their clients, but instead checks against an online copy of their root stores as needed, giving people very little control over what they trust other than a few historic CAs. In relation to your well-published PKI criticism, it is noted that some of the many new CAs found in root stores are governments who (unlike commercial CAs) are the actual authority on the identity of their citizens. |
| Re: [FORGED] Re: Incidents involving the CA WoSign | Myers, Kenneth (10421) | 06/09/16 07:42 | There could be multiple reasons for xcerts from internal policies to controlled trust stores. It depends on the root and the company. Part of the reason the FPKI has xcerts is for both those reasons. Companies may only want to use their root. They may not want to rely on the trust bundle approach or have internal policies that there must be mutual trust. I think this group has seen some examples of questionable audits.
Ken Message: 4 Date: Tue, 6 Sep 2016 14:10:19 +00 From: Peter Gutmann <pgu...@cs.auckland.ac.nz> To: Peter Bowen <pzb...@gmail.com>, Gervase Markham <ge...@mozilla.org> Cc: Richard Wang <ric...@wosign.com>, "mozilla-dev-s...@lists.mozilla.org" <mozilla-dev-s...@lists.mozilla.org> Subject: Re: [FORGED] Re: Incidents involving the CA WoSign Message-ID: <147317099...@cs.auckland.ac.nz> Content-Type: text/plain; charset="iso-8859-1"
Why would a public CA even need cross-certification from other CAs?Peter. Ken -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+kenneth.myers=protiviti.com@lists.mozilla.org] On Behalf Of dev-security-...@lists.mozilla.org Sent: Tuesday, September 6, 2016 10:19 To: dev-secur...@lists.mozilla.org Subject: dev-security-policy Digest, Vol 93, Issue 34 Send dev-security-policy mailing list submissions to dev-secur...@lists.mozilla.org To subscribe or unsubscribe via the World Wide Web, visit https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.mozilla.org_listinfo_dev-2Dsecurity-2Dpolicy&d=DQICAg&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=v6QfMBgWaMWhsB_PpBwwzxPtUwSffCWXSAR0gp0RFbY&m=gx-RPkgIBbnv1o7pHc6J2JDA0hiijyCDt6lIsqVJaTk&s=3DxgIVrE6qM1HU21hDF7kWz-URTpSuAa2CzJ9fhbisw&e= or, via email, send a message with subject or body 'help' to dev-security-...@lists.mozilla.org You can reach the person managing the list at dev-security...@lists.mozilla.org When replying, please edit your Subject line so it is more specific than "Re: Contents of dev-security-policy digest..." Today's Topics: 1. Re: Sanctions short of distrust (Jakob Bohm) 2. Re: Sanctions short of distrust (Kurt Roeckx) 3. Re: Incidents involving the CA WoSign (Peter Gutmann) 4. Re: [FORGED] Re: Incidents involving the CA WoSign (Peter Gutmann) 5. Re: Sanctions short of distrust (Jakob Bohm) 6. Re: Incidents involving the CA WoSign (Jakob Bohm) ---------------------------------------------------------------------- Message: 1 Date: Tue, 6 Sep 2016 14:16:32 +0200 From: Jakob Bohm <jb-mo...@wisemo.com> To: mozilla-dev-s...@lists.mozilla.org Subject: Re: Sanctions short of distrust Message-ID: <Rvydna3-raE8LlPKnZ2dnUU7-LXNnZ2d@mozilla.org> Content-Type: text/plain; charset=utf-8; format=flowed On 06/09/2016 10:25, Kurt Roeckx wrote: > On 2016-09-06 10:13, Nick Lamb wrote: >> Quality of implementation for OCSP stapling seems to remain poor in >> at least apache and nginx, two of the most popular servers. Apache's >> in particular gives me that OpenSSL "We read this standards document >> and implemented everything in it as a series of config options >> without any understanding" feeling, rather than Apache's maintainers >> taking it upon themselves to figure out what will actually work best >> for most servers and implementing that. > > If you think there is something we can do in OpenSSL to improve this, > please let us know. > > Here are a list of software where I have personally observed bad OCSP stapling support: OpenSSL 1.0.x itself: There are hooks to provide stapled leaf OCSP responses in sessions, but no meaningful sample code to do this right (e.g. caching, error handling etc.) I am working on my own add-on code for this, but it is not complete and not deployed. There is no builtin support for multistapling and no clear documentation on how to add arbitrary TLS extensions (such as this) to an OpenSSL application. OpenSSL 1.1.x itself: This is a heavily rewritten library and very new at this time, basic reliability procedures suggest waiting a few patch levels before deployment. Stunnel stand alone SSL/TLS filter (used with e.g. Varnish reverse proxies): OCSP stapling is on their TODO-list, but not yet included. Pound light-weight reverse proxy with SSL/TLS front end: No OCSP stapling support in the standard version. IIS for Windows Server 2008 (latest IIS supporting pure 32 bit configurations): No obvious (if any) OCSP stapling support. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://urldefense.proofpoint.com/v2/url?u=https-3A__www.wisemo.com&d=DQICAg&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=v6QfMBgWaMWhsB_PpBwwzxPtUwSffCWXSAR0gp0RFbY&m=gx-RPkgIBbnv1o7pHc6J2JDA0hiijyCDt6lIsqVJaTk&s=6fqktmkS-VMGXPnE5Am_4CIFFk0921lO5fh4HUxVxMc&e= Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors.------------------------------ Message: 2 Date: Tue, 6 Sep 2016 15:37:50 +0200 From: Kurt Roeckx <ku...@roeckx.be> To: mozilla-dev-s...@lists.mozilla.org Subject: Re: Sanctions short of distrust Message-ID: <06KdnUKjKJcyW1PKnZ2dnUU7-anNnZ2d@mozilla.org> Content-Type: text/plain; charset=utf-8; format=flowed On 2016-09-06 14:16, Jakob Bohm wrote: > On 06/09/2016 10:25, Kurt Roeckx wrote: >> If you think there is something we can do in OpenSSL to improve this, >> please let us know. > > Here are a list of software where I have personally observed bad OCSP > stapling support: > > OpenSSL 1.0.x itself: There are hooks to provide stapled leaf OCSP > responses in sessions, but no meaningful sample code to do this right > (e.g. caching, error handling etc.) I am working on my own add-on code > for this, but it is not complete and not deployed. As far as I know the functions for that are: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.openssl.org_docs_manmaster_ssl_SSL-5Fset-5Ftlsext-5Fstatus-5Ftype.html&d=DQICAg&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=v6QfMBgWaMWhsB_PpBwwzxPtUwSffCWXSAR0gp0RFbY&m=gx-RPkgIBbnv1o7pHc6J2JDA0hiijyCDt6lIsqVJaTk&s=3XfGC0sf6JNBNjhp2OUj-Vo5am2mA-e_v-80wDHGmGE&e= > There is no builtin support for multistapling and no clear > documentation on how to add arbitrary TLS extensions (such as this) to > an OpenSSL application. SSL_CTX_add_server_custom_ext() was added in 1.0.2, see https://urldefense.proofpoint.com/v2/url?u=https-3A__www.openssl.org_docs_manmaster_ssl_SSL-5FCTX-5Fadd-5Fserver-5Fcustom-5Fext.html&d=DQICAg&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=v6QfMBgWaMWhsB_PpBwwzxPtUwSffCWXSAR0gp0RFbY&m=gx-RPkgIBbnv1o7pHc6J2JDA0hiijyCDt6lIsqVJaTk&s=l7DjxqeCNx20l6TmHoxv_N--WwDVJlh7u1mCeHXG2L4&e= PS: I just found: https://urldefense.proofpoint.com/v2/url?u=https-3A__istlsfastyet.com_&d=DQICAg&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=v6QfMBgWaMWhsB_PpBwwzxPtUwSffCWXSAR0gp0RFbY&m=gx-RPkgIBbnv1o7pHc6J2JDA0hiijyCDt6lIsqVJaTk&s=2yhWRWfJwOCRJW_0w037OyfK_nrac9UkepMQGW4eYBo&e= This is probably also getting a little off topic. Kurt ------------------------------ Message: 3 Date: Tue, 6 Sep 2016 13:58:40 +0000 From: Peter Gutmann <pgu...@cs.auckland.ac.nz> To: Matt Palmer <mpa...@hezmatt.org>, "dev-secur...@lists.mozilla.org" <dev-secur...@lists.mozilla.org> Subject: Re: Incidents involving the CA WoSignMessage-ID: <147317029...@cs.auckland.ac.nz> Content-Type: text/plain; charset="iso-8859-1" you, m??se bites Kan be pretti nasti... We apologise again for the fault in the CA. Those responsible for sacking the people who have just been sackedhave been sacked. M??se trained by YUTTE HERMSGERV?RDENBR?TB?RDA Special M??se Effects OLAF PROT M??se Costumes SIGGI CHURCHILLM??se Choreographed by HORST PROT III. The directors of the CA hired to continue the credits after the------------------------------ Message: 4 Date: Tue, 6 Sep 2016 14:10:19 +0000 From: Peter Gutmann <pgu...@cs.auckland.ac.nz> To: Peter Bowen <pzb...@gmail.com>, Gervase Markham <ge...@mozilla.org> Cc: Richard Wang <ric...@wosign.com>, "mozilla-dev-s...@lists.mozilla.org" <mozilla-dev-s...@lists.mozilla.org> Subject: Re: [FORGED] Re: Incidents involving the CA WoSign Message-ID: <147317099...@cs.auckland.ac.nz> Content-Type: text/plain; charset="iso-8859-1"
Why would a public CA even need cross-certification from other CAs?Peter. ------------------------------ Message: 5 Date: Tue, 6 Sep 2016 16:14:43 +0200 From: Jakob Bohm <jb-mo...@wisemo.com> To: mozilla-dev-s...@lists.mozilla.org Subject: Re: Sanctions short of distrust Message-ID: <kqydnXo2x-jJUlPKnZ2dnUU7-LPNnZ2d@mozilla.org> Content-Type: text/plain; charset=utf-8; format=flowed On 06/09/2016 15:37, Kurt Roeckx wrote: > On 2016-09-06 14:16, Jakob Bohm wrote: >> On 06/09/2016 10:25, Kurt Roeckx wrote: >>> If you think there is something we can do in OpenSSL to improve this, >>> please let us know. >> >> Here are a list of software where I have personally observed bad OCSP >> stapling support: >> >> OpenSSL 1.0.x itself: There are hooks to provide stapled leaf OCSP >> responses in sessions, but no meaningful sample code to do this right >> (e.g. caching, error handling etc.) I am working on my own add-on code >> for this, but it is not complete and not deployed. > > As far as I know the functions for that are: > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.openssl.org_docs_manmaster_ssl_SSL-5Fset-5Ftlsext-5Fstatus-5Ftype.html&d=DQICAg&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=v6QfMBgWaMWhsB_PpBwwzxPtUwSffCWXSAR0gp0RFbY&m=gx-RPkgIBbnv1o7pHc6J2JDA0hiijyCDt6lIsqVJaTk&s=3XfGC0sf6JNBNjhp2OUj-Vo5am2mA-e_v-80wDHGmGE&e= > >> There is no builtin support for multistapling and no clear >> documentation on how to add arbitrary TLS extensions (such as this) to >> an OpenSSL application. > > SSL_CTX_add_server_custom_ext() was added in 1.0.2, see > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.openssl.org_docs_manmaster_ssl_SSL-5FCTX-5Fadd-5Fserver-5Fcustom-5Fext.html&d=DQICAg&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=v6QfMBgWaMWhsB_PpBwwzxPtUwSffCWXSAR0gp0RFbY&m=gx-RPkgIBbnv1o7pHc6J2JDA0hiijyCDt6lIsqVJaTk&s=l7DjxqeCNx20l6TmHoxv_N--WwDVJlh7u1mCeHXG2L4&e= > Neither of those calls (which I know) provide the lacking functionality. Specifically, the _tlsext_ OCSP calls require each server to design and build its own OCSP response acquisition and caching code. While the _server_custom_ functions seemingly lack the functionality to implement multistapling, at least as I read them. > > PS: I just found: https://urldefense.proofpoint.com/v2/url?u=https-3A__istlsfastyet.com_&d=DQICAg&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=v6QfMBgWaMWhsB_PpBwwzxPtUwSffCWXSAR0gp0RFbY&m=gx-RPkgIBbnv1o7pHc6J2JDA0hiijyCDt6lIsqVJaTk&s=2yhWRWfJwOCRJW_0w037OyfK_nrac9UkepMQGW4eYBo&e= > > This is probably also getting a little off topic. > But yes, the details of OpenSSL are off-topic in this newsgroup, this was merely two entries in a long list of HTTPS server implementations that cannot be easily configured to send the OCSP stapling responses that some other posters suggested would be an appropriate workaround for half-bad CAs. The point of the list was simply to explain why requiring OCSP stapling would not work on the current Internet. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://urldefense.proofpoint.com/v2/url?u=https-3A__www.wisemo.com&d=DQICAg&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=v6QfMBgWaMWhsB_PpBwwzxPtUwSffCWXSAR0gp0RFbY&m=gx-RPkgIBbnv1o7pHc6J2JDA0hiijyCDt6lIsqVJaTk&s=6fqktmkS-VMGXPnE5Am_4CIFFk0921lO5fh4HUxVxMc&e= Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors.------------------------------ Message: 6 Date: Tue, 6 Sep 2016 16:18:08 +0200 From: Jakob Bohm <jb-mo...@wisemo.com> To: mozilla-dev-s...@lists.mozilla.orgMessage-ID: <V6-dnZnApeq8TVPKnZ2dnUU7-ffNnZ2d@mozilla.org> Content-Type: text/plain; charset=windows-1252; format=flowed > you, m??se bites Kan be pretti nasti... We apologise again for the fault in > the CA. Those responsible for sacking the people who have just been sacked> have been sacked. M??se trained by YUTTE HERMSGERV?RDENBR?TB?RDA Special M??se > Effects OLAF PROT M??se Costumes SIGGI CHURCHILLM??se Choreographed by HORST > PROT III. The directors of the CA hired to continue the credits after theH?H?H? * Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://urldefense.proofpoint.com/v2/url?u=https-3A__www.wisemo.com&d=DQICAg&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=v6QfMBgWaMWhsB_PpBwwzxPtUwSffCWXSAR0gp0RFbY&m=gx-RPkgIBbnv1o7pHc6J2JDA0hiijyCDt6lIsqVJaTk&s=6fqktmkS-VMGXPnE5Am_4CIFFk0921lO5fh4HUxVxMc&e= Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors.------------------------------ Subject: Digest Footer https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.mozilla.org_listinfo_dev-2Dsecurity-2Dpolicy&d=DQICAg&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=v6QfMBgWaMWhsB_PpBwwzxPtUwSffCWXSAR0gp0RFbY&m=gx-RPkgIBbnv1o7pHc6J2JDA0hiijyCDt6lIsqVJaTk&s=3DxgIVrE6qM1HU21hDF7kWz-URTpSuAa2CzJ9fhbisw&e= ------------------------------ End of dev-security-policy Digest, Vol 93, Issue 34 *************************************************** NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you. |
| Re: [FORGED] Re: Incidents involving the CA WoSign | Nick Lamb | 06/09/16 08:08 | On Tuesday, 6 September 2016 15:11:00 UTC+1, Peter Gutmann wrote:Maybe this question has some subtlety to it that I'm missing? Acceptance into root trust stores is slow. Glacial in some cases. Mozilla has a published process. Microsoft, Apple and Oracle all say basically "email this address with your details" and beyond that all is opaque, other trust stores are worse / slower. Let's Encrypt was announced in 2014, with its intention from the outset being to operate as a public CA. The ISRG Root (ISRG is the actual 501(c)3 entity behind Let's Encrypt formally) was self-signed in June 2015. In September 2015 they formally applied to all major root trust stores including Mozilla. In October 2015 they received a cross-certification from IdenTrust for Let's Encrypt Authority X1 (and its backup X2) and soon after began "beta" issuance, making real working leaf certificates for the web PKI, obeying the BRs and so on, initially for subscribers who had been pre-vetted and then for the general public. By June 2016, with all major root trust stores still deliberating (Mozilla publicly, everyone else behind closed doors) Let's Encrypt was one of the biggest issuers on the entire World Wide Web. Officially, they were merely a subCA of IdenTrust as far as every trust store is concerned. In practice they were now bigger than almost all the directly trusted public CAs (Symantec and Comodo are bigger by most measures). In July 2016 Mozilla signalled that future Firefox versions would add ISRG Root X1 to their trust store. No word yet from any other major trust store. This is not at all unusual. So, cross signatures are the difference between being able to actually "enter the market" in reasonable time and being stalled out essentially indefinitely. |
| Re: [FORGED] Re: Incidents involving the CA WoSign | Peter Gutmann | 06/09/16 08:19 | Nick Lamb <tiala...@gmail.com> writes: >On Tuesday, 6 September 2016 15:11:00 UTC+1, Peter Gutmann wrote: OK, I really meant "that many other CAs". To take one example, the cross- Peter. |
| unk...@googlegroups.com | 06/09/16 08:29 | <This message has been deleted.> | |
| Re: Incidents involving the CA WoSign | Eddy Nigg | 06/09/16 09:43 | On 09/05/2016 10:54 AM, Gervase Markham wrote:Again, I don't think we can and will solve this in public, however I believe it's the complete right of a company (and employer) to decide how and when it wants to make an official public announcement about its business (and being just in order to complete a currently ongoing transaction first). Not every employee is authorized to represent the company and inform third parties (at his/her convenient timing and consideration) even if he/she knows about it and/or some information has been placed into (partly) public domain as part of a business process. I hope my explanation makes it clear that this ex-employee was not authorized to provide any information about StartCom or WoSign. |
| Re: Incidents involving the CA WoSign | Han Yuwei | 06/09/16 10:21 | I thought Wosign's report is not very convincible. The bug of subdomain have existed for a long time and it made me feel it is a feature not a bug. It's not a secret among the admin of personal or small sites. I am not very similar to CA stuff that time,just a subscriber of Wosign's free certificates.I have also signed subdomain certificate without validating root domain control. But I controlled both of them so I didn't think it is very serve problem.
So I think it is very important to audit how many certificates mis-issued by Wosign. Because this bug is used widely when I am running websites for Wosign provide FREE 3 year multi-domain certificates that time. ( We dont have Let's encrypt that time and Startcom just issue single domain.) |
| Re: Incidents involving the CA WoSign | Julian Brost | 06/09/16 10:21 | Hi,
section 1.4. Impact Analytics in the report contains a list of 72 certificates, for which the domain validation was done on a high port. On 2015-04-20 I have obtained a certificate for a domain name that I validated using port 8080 but that certificate is not listed in the report. This is the certificate: https://crt.sh/?id=30335331 It seems like the certificate was posted to the CT logs by WoSign (at least I never used the certificate anywhere) but not on August 26th like the other certs and as stated in the report. So I have doubts about the report and it really should be investigated why this certificate is missing in the report. Regards, Julian Brost
> We finished the investigation and released the incidents report today: https://www.wosign.com/report/wosign_incidents_report_09042016.pdf> This report is just for Incident 0-2, we will release a separate report for another incident X soon. > > > Best Regards, > > Richard Wang > CEO > WoSign CA Limited > > > -----Original Message----- > From: Gervase Markham [mailto:ge...@mozilla.org] > Sent: Wednesday, August 24, 2016 9:08 PM > To: mozilla-dev-s...@lists.mozilla.org > Cc: Richard Wang <ric...@wosign.com> > Subject: Incidents involving the CA WoSign > > Dear m.d.s.policy, >> Incident 0 > ---------- > > On or around April 23rd, 2015, WoSign's certificate issuance system for their free certificates allowed the applicant to choose any port for validation. Once validation had been completed, WoSign would issue certificates for that domain. A researcher was able to obtain a certificate for a university by opening a high-numbered port (>50,000) and getting WoSign to use that port for validation of control. > > This problem was reported to Google, and thence to WoSign and resolved. > Mozilla only became aware of it recently. > > * Before the recent passage of Ballot 169 in the CAB Forum, which limits the ports and paths which can be used, the Baseline Requirements said that one acceptable method of domain validation was "Having the Applicant demonstrate practical control over the FQDN by making an agreed‐upon change to information found on an online Web page identified by a uniform resource identifier containing the FQDN". This method therefore did not violate the letter of the BRs. However, Mozilla considers the basic security knowledge that ports over 1024 are unprivileged should have led all CAs not to accept validations of domain control on such ports, even when not documented in the BRs. > > * The misissuance incident was not reported to Mozilla by WoSign as it should have been (see above). > > * This misissuance incident did not turn up on WoSign's subsequent BR audit[1]. > > Incident 1 > ---------- > > In June 2015, an applicant found a problem with WoSign's free certificate service, which allowed them to get a certificate for the base domain if they were able to prove control of a subdomain. > > The reporter proved the problem in two ways. They accidentally discovered it when trying to get a certificate for med.ucf.edu and mistakenly also applied for www.ucf.edu, which was approved. They then confirmed the problem by using their control of theiraccount.github.com/theiraccount.github.io to get a cert for github.com, github.io, and www.github.io. > > They reported this to WoSign, giving only the Github certificate as an example. That cert was revoked and the vulnerability was fixed. However recently, they got in touch with Google to note that the ucf.edu cert still had not been revoked almost a year later. > > * The lack of revocation of the ucf.edu certificate (still unrevoked at time of writing, although it may have been by time of posting) strongly suggests that WoSign either did not or could not search their issuance databases for other occurrences of the same problem. Mozilla considers such a search a basic part of the response to disclosure of a vulnerability which causes misissuance, and expects CAs to keep records detailed enough to make it possible. > > * This misissuance incident was not reported to Mozilla by WoSign as it should have been (see above). > > * This misissuance incident did not turn up on WoSign's subsequent BR audit[1]. > > Incident 2 > ---------- > > In July 2016, it became clear that there was some problems with the StartEncrypt automatic issuance service recently deployed by the CA StartCom. As well as other problems it had, which are outside the scope of this discussion, changing a simple API parameter in the POST request on the submission page changed the root certificate to which the resulting certificate chained up. The value "2" made a certificate signed by "StartCom Class 1 DV Server CA", "1" selected "WoSign CA Free SSL Certificate G2" and "0" selected "CA 沃通根证书", another root certificate owned by WoSign and trusted by Firefox. > > Using the value "1" led to a certificate which had a notBefore date (usage start date) of 20th December 2015, and which was signed using the > SHA-1 checksum algorithm. > > * The issuance of certificates using SHA-1 has been banned by the Baseline Requirements since January 1st, 2016. Browsers, including Firefox, planned to enforce this[2] by not trusting certs with a notBefore date after that date, but in the case of Firefox the fix had to be backed out due to web compatibility issues. However, we are considering how/when to reintroduce it, and CAs presumably know this. > > * The issuance of backdated certificates is not forbidden, but is listed in Mozilla's list of Problematic Practices[3]. It says "Minor tweaking for technical compatibility reasons is accepted, but backdating certificates in order to avoid some deadline or code-enforced restriction is not." > > * WoSign deny that their code backdated the certificates in order to avoid browser-based restrictions - they say "this date is the day we stop to use this code"[4]. If that is true, it is not clear to us how StartCom came to deploy WoSign code that WoSign itself had abandoned. > > * It seems clear from publicly available information that StartCom's issuance systems are linked to WoSign's issuance systems in some way. > Nevertheless, it should not have been possible for an application for a cert from StartCom to produce a cert signed by WoSign. > > * This misissuance incident was not reported to Mozilla by WoSign as it should have been. > > > Taking into account all these incidents and the actions of this CA, Mozilla is considering what action to take. Your input is welcomed. > > Gerv, Kathleen and Richard > > > [0] > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/enforcement/ > [1] https://cert.webtrust.org/SealFile?seal=2019&file=pdf > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=942515 > [3] > https://wiki.mozilla.org/CA:Problematic_Practices#Backdating_the_notBefore_date > [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1293366 > |
| Re: Incidents involving the CA WoSign | Ming | 06/09/16 10:22 | For page 19 of the report, I have one question: If the subscriber MUST transfer the payment from his company bank account, why subscriber fake the company seal as figure 20?
And from figure 21's information, one fraud company transfered the payment from alipay, NOT his company bank! 在 2016年9月4日星期日 UTC+8下午5:51:26,Richard Wang写道: |
| Re: Incidents involving the CA WoSign | Will Hughes | 06/09/16 10:23 | Hello,
First of all let me state that I am in no way involved in the operation of a certificate authority, nor am I involved in setting CA policy for any organisation; I am merely an interested observer. I am a user of Mozillas' trust store, both directly through Firefox and Thunderbird, and indirectly by using pieces of software that rely on NSS. I have previously been a customer of WoSign[0], but am not currently. Addressing Mozillas' response to WoSigns' breach: * Surely there is precedent from previous violations by other CAs that can be used to inform this decision? How did Mozilla handle the October 2015 incident[1] in which Symantec mis-issued over 2500 certificates? While the scale appears to be different, the facts of that incident are not too dissimilar to this one; a CA mis-issued a number of certificates, and failed to adequately notify trust store operators of this. * While there doesn't seem to be a great deal of dispute over the facts of this incident, it seems to me that in the very short term (ie, the next fortnight) it would be useful if WoSign were required to produce an incident report detailing: - The precise extent of the incident, detailing every certificate that was mis-issued and to whom, to reassure the community that these bugs are not being used maliciously - The current status (revocation, CT presence) of all mis-issued certificates. - An assessment as to the cause of the incident[2] - Details as to the measures already undertaken to rectify the defects - Details of future measures that will be undertaken to prevent further problems The purpose of this is to re-establish some small amount of trust that WoSign can be permitted to continue operating while a longer-term plan is discussed * I do not know what should be done in the longer term, but I suggest that the focus of this discussion be on finding ways to permit WoSign to prove that they are fit to participate in the Root Trust programme, so long as WoSign are willing to engage and proactively work to restore trust. If WoSign do not wish to work to restore trust, then removal from the programme would have to be considered. Care must be taken to not unduly punish WoSigns' customers, while at the same to the safety of the wider internet community must be assured. Addressing this issue in general; WoSign have claimed that their failure to report this incident came about from a misunderstanding of the English language documents by their staff who do not all speak English. While this is clearly not a valid excuse, is this something Mozilla needs to consider to prevent similar incidents in the future? Surely a significant proportion of CA operators face a similar language barrier? Thank you all for your time, Will Hughes [0] I issued two certificate via WoSign in May 2016 for hosts that were not internet facing, because it was impractical for me to issue LetsEncrypt certs for those hosts. I have since updated my tooling, issued LetsEncrypt certs and revoked the WoSign certs. I note that neither of the WoSign certs appear on crt.sh [1] https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html [2] I understand that in the short timeframe, a full post-mortem may not be practical, but an initial assesment of the causes of the incident should have already been completed |
| Re: Incidents involving the CA WoSign | xcrai...@gmail.com | 06/09/16 10:24 | On Saturday, September 3, 2016 at 1:31:17 PM UTC-4, Andy Ligg wrote:
> You are completely wrong! > > StartCom not only have office in Israel and in China, but also have > office in UK, welcome to visit our UK office: T05, Castlemead, Lower > Castle Street, Bristol, BS1 3AG, UK. Thanks for pointing me to MR. GUOHUA WANG's name[1], and beware of your NDA too. Meh. [1]: http://wayback.archive.org/web/20160903185601/https://companycheck.co.uk/company/09744347/STARTCOM-CA-LIMITED/companies-house-data# |
| Re: Incidents involving the CA WoSign | Jonathan Rudenberg | 06/09/16 10:50 | Do you believe that you have certificates issued by WoSign that include unvalidated domains that are not on the list in Figure 14 of the report[0]? To clarify: validating a subdomain and issuing a certificate for it is fine, however it is incorrect to issue a certificate for a domain below the level that was validated. For example, if control of subdomain.example.com is the only thing validated, it would be incorrect to issue a certificate that included example.com or any other domains that did not end in .subdomain.example.com. [0] https://www.wosign.com/report/wosign_incidents_report_09042016.pdf |
| Re: Incidents involving the CA WoSign | Gervase Markham | 06/09/16 11:07 | On 05/09/16 23:58, Peter Bowen wrote: > 1) Should any action be taken against the operators of these CAs dueAfter consultation, Mozilla's CA team agrees with your views. Gerv |
| Re: Incidents involving the CA WoSign | Jakob Bohm | 06/09/16 12:25 | Because of what hanyuwei70 wrote, I think it would be prudent to treat
two cases different *for this case only*: 1. The validated domain was www.foo.bar and the certificate was for www.foo.bar and foo.bar. This case should be treated more leniently. 2. The validated domain was baz.foo.bar and the certificate was for baz.foo.bar and foo.bar. In this case there is no reason to believe that the certificate customer has any right to get a certificate for foo.bar and the certificates must be revoked instantly with no delay. If a customer paid money for a baz.foo.bar certificate and can now prove that they do in fact control foo.bar in addition to baz.foo.bar, the certificate should be reissued at no extra cost, since only the WoSign validation work was wrong, not the result. If a customer paid money for a baz.foo.bar certificate and did not request or use the included foo.bar certification, that customer should be offered a baz.foo.bar-only certificate at no extra charge, provided they can still prove control of baz.foo.bar. If a customer actually asked for a combined baz.foo.bar + foo.bar certificate or used the foo.bar portion of such a certificate despite having no rights to the foo.bar domain itself, then that customer should not be able to get a new certificate at all, since they deliberately acted fraudulently and took advantage of WoSign's incompetence. This includes the security researcher(s) who requested such certificates only to prove that WoSign's systems don't work. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.comTransformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 |
| RE: Incidents involving the CA WoSign | Richard Wang | 06/09/16 19:10 | We checked our system that this order is finished the website control validation correctly. No any mistake.
Why this is not listed in the report list? This order is year 2015 order, this is the event of 17 months ago, we can't find the info what port is used, our CMS system just record this order is validated by website control validation method, not record the used port at that time. Why we can find out other 72 certificate? We try to search every validation process evidence in many systems to analyze the related log to catch the info. I can't guarantee all high port validation order are listed in the report, but as we said in the report, each certificate is properly validated using high port.
From: Julian Brost [mailto:jul...@0x4a42.net] > Hi all, |
| Re: Incidents involving the CA WoSign | Eric Mill | 06/09/16 22:39 | On Tue, Sep 6, 2016 at 11:43 AM, Eddy Nigg <eddy...@startcom.org> wrote:That right doesn't exist. Not for governments, corporations, or any other organization. Every organization wants to control information flow about themselves, and they certainly have the right to try to do so as long as they don't harm other people. But legally restraining and punishing individuals in pursuit of that control is rightfully subject to intense scrutiny. At the very least, you and your company come off as a complete bully, and I don't think that benefits you right now. -- Eric
> _______________________________________________> https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> |
| Re: Incidents involving the CA WoSign | Rob Stradling | 07/09/16 02:33 | On 06/09/16 11:11, Rob Stradling wrote:
<snip> > "UTN - DATACorp SGC" was also cross-certified by the "AddTrust ExternalThese cross-certs (https://crt.sh/?q=UTN+-+DATACorp+SGC&iCAID=1) are now in OneCRL. Thanks Gerv. |
| RE: Incidents involving the CA WoSign | Richard Wang | 07/09/16 03:08 | Hi Gerv, Kathleen and Richard,
This discuss has been lasting two weeks, I think it is time to end it, it doesn’t worth to waste everybody’s precious time. I make my confession that our system and management do have some problems which lead to the misissuance of some certificates. And I am very sorry that WoSign don’t notify all browsers after the incident happened and even after the problem fixed. I’d like to give my suggestion action for Mozilla as below: 1. Mozilla will trust those SSL certificates only: (1) The certificate notBefore date is before Jan. 1st 2015; (2) The certificate notBefore date is from Jan. 1st 2015 to July 4th 2016 that listed in the Google CT log server; (3) The certificate notBefore date is from July 5th 2016 to Sept xx 2016 that embedded SCT data in the certificate; (4) The certificate notBefore date is from Sept xx 2016 that embedded SCT data in the certificate and must have the “C=CN” in the certificate subject. 2. Mozilla can assign a WebTrust auditor to WoSign office to check and inspect every incident, check every relevant issued certificate, and record a report with: what happened, why this happened and what is being done to prevent this in the future etc., WoSign will pay the audit cost. I’d like to make some supplements about 1. (4) above, this term means WoSign will only issue SSL certificates to China subscribers. WoSign issued about 120K SSL certificates for websites in China including many central government websites like MIIT and many other local province government websites, many university websites, many online banking websites, 6 of the Top 10 ecommerce websites, big supermarket online store like Walmart, 4 of the Top 5 cloud service in China, and many big companies that listed in NYSE and Nasdaq, and many subsidiaries of foreign countries big companies. Those customers like to use WoSign certificate especially our support of Chinese, local support and customer service. And some of them paid up to 10-year certificate fee in advance, we need to renew their certificate for free once it is about to expire at every three years for OV SSL. I wish Mozilla could accept my suggestion, and I am sure WoSign will do it better after getting this so big lesson. Thank you. |
| Re: Incidents involving the CA WoSign | Gervase Markham | 07/09/16 04:00 | Hi Richard,
Unfortunately, I think we may be only beginning. I have prepared a list of the issues we are tracking with WoSign's certificate issuance process and business: https://wiki.mozilla.org/CA:WoSign_Issues Please can you provide a response to issues F, P, S and T at your earliest convenience? In addition, if you have further things to say about issues D, H, J, L, N or V we would be happy to hear them. Thank you for your suggestions, but once Mozilla has a full understanding of what has gone on we will be in a better position to decide what next actions are appropriate. With best wishes, Gerv |
| Re: Incidents involving the CA WoSign | Gervase Markham | 07/09/16 04:20 | On 07/09/16 12:14, Richard Wang wrote:
> By the way, the link you used in the page to our report is not correct. Fixed; thank you. Gerv |
| Re: Incidents involving the CA WoSign | Kurt Roeckx | 07/09/16 05:09 | On 2016-09-07 13:00, Gervase Markham wrote:Thanks for putting this all in a page because I already lost track of most of the issues. This URL was posted, and at least seems to match the date range: https://crt.sh/?serial=056d1570da645bf6b44c0a7077cc6769&iCAID=1662 It currently only has 314 of the mentioned 392 duplicates. I don't know if there are other duplicate serials we need to look for, or if they failed to publish all 392. It's at least my understanding that all certificates for 2015 should already have been submitted to CT. Related to issue F, we've been told that all 2015 certificates should have been published to CT. We got a mail saying that with "Date: Fri, 2 Sep 2016 07:37:52 +0000". I added the https://crt.sh/?id=30736090 to aviator later, and it's now in their log too. I guess it could be useful for everybody to go over this page and see if all the issues that were raised are on that page. Kurt |
| Re: Incidents involving the CA WoSign | Rob Stradling | 07/09/16 05:53 | On 06/09/16 19:12, Thijs Alkemade wrote:
<snip> > Hello, > > We obtained 2 certificates from the StartEncrypt API which had SHA-1 signatures and which were backdated to December 20, 2015. > > After WoSign announced that all certificates issued in 2015 were logged to their Certificate Transparency server, I analyzed them to check if any other certificates using SHA-1 signatures show signs of being backdated. Using the Python tools from Google’s Certificate Transparency repository I downloaded all certificates from the log and then queried them from an sqlite database. Considering this is the first time I’m working with Certificate Transparency logs, it might be better if someone else tries to reproduce my results. I’ve generated a table here: https://gist.github.com/anonymous/72920ff1b4450d38893dfa1b4863af52 (timestamps are in UTC). > > I found 1204 certificates with a SHA-1 signature issued after December 1, 2015. 53 of them included embedded SCT data, so can be dated more accurately. > > The most interesting pattern I noticed was from sorting the certificates based on the ID they have in WoSign’s Certificate Transparency log. Up to ID 109149 (https://crt.sh/?q=6d8665951cf6d8743200393a1085e0f6eb226270cc1f1402507d61faae93256a), the notBefore values are (approximately) chronologically ordered. Those which have embedded SCTs have timestamps which are about 2 hours later than the notBefore date. Hi Thijs. I agree that this pattern is interesting (and it'd be nice to see an explanation), but I'm not convinced that it proves everything you think it proves. > But after that follow 64 certificates which are all dated on December 20, 2015 (CST, UTC+8), including our two test certificates. Six of these have embedded SCT data, but they have a large discrepancy between the notBefore and the earliest SCT: 3 have a SCT of December 31 (11 days later) and 1 even has a SCT of January 18, 2016, almost a full month after the notBefore. (Unless I misunderstand the use of pre-certificates, this by itself already implies the certificate was signed using SHA-1 on or after January 18, 2016.) Yes. A certificate that has embedded SCTs cannot have been issued any earlier than any of the timestamps in those embedded SCTs (assuming those timestamps are accurate, of course). Of course, "implies...was signed...after" is only demonstrably true when you have a copy of both the precertificate and the corresponding certificate. You can't prove it if you only have a copy of the precertificate; the signature on a precertificate "indicates the certificate authority's intent to issue a certificate" [RFC6962 section 3.1], but this doesn't mean the CA is required to issue the certificate. > Aside from the 3 embedded SCTs on December 31, none of these certificates have been logged to a Certificate Transparency server before January 1, 2016. When a precertificate is logged, there is no need for the corresponding certificate to be logged. If the corresponding certificate does get logged at some point later, so what? Let's look at one of your examples: aceeccdbb17b9096251dd11a84041ec75fe7a92e903ffe07c6d6b0a0c980d399 The fact that the certificate (https://crt.sh/?id=12367098) wasn't logged until late January 2016 is uninteresting, because the precertificate (https://crt.sh/?id=11751158) was logged on (and has a notBefore date of) 31st December 2015. Except for EV, certificates issued by WoSign aren't required (by Chrome) to be logged. If a certificate (for which there is no corresponding precertificate) does get logged at some point long after its issuance date, so what? Let's look at one of your examples: 61b6289b1d3786e8f362e4049a4c5e24bb1356c0776fadb3a8a569f99d071a98 I see no evidence to suggest that this certificate was not issued on 30th December 2015, as suggested by its notBefore date. <snip> |
| Re: Incidents involving the CA WoSign | Thijs Alkemade | 07/09/16 07:02 | On 07 Sep 2016, at 14:52, Rob Stradling <rob.st...@comodo.com> wrote:Hi Rob, That makes sense, thanks. Both of these are not examples of the certificates which I consider suspicious. To be precise, the suspicious certificates have: - A SHA-1 signature from WoSign. - A notBefore date on December 20, 2015 (CST). - An ID in the WoSign Certificate Transparency log ≥ 109153. In the gist which I posted, this is line 4 up to 65. The fact that these certificates weren’t logged to public Certificate Transparency servers soon after is not suspicious and I did not intend it as such. It was only meant to indicate the lack of evidence that could have proven their timestamps. What is suspicious is: - Twice as many SHA-1 certificates being issued on a specific Sunday in December than the daily average that month. (Which also happens to be the date on the certificates which I personally got from the StartEncrypt API.) - The long difference between the notBefore and the embedded SCTs, if any. - Some of these certificates having an almost identical copy issued using SHA-256 on a date in January. If the SHA-1 cert has embedded SCTs, then the SHA-256 cert has them too and the SCTs of both certs are less than a minute apart. Of course, I can’t present hard cryptographic evidence that these certificates did not exist then, but I fear nothing can. Best regards, Thijs Alkemade Computest • Pine Digital Security E: talk...@computest.nl • I: www.computest.nl A: Signaalrood 25 • 2718 SH Zoetermeer Pine Digital Security is part of Computest |
| Re: Incidents involving the CA WoSign | Rob Stradling | 07/09/16 07:19 | On 07/09/16 15:01, Thijs Alkemade wrote:
<snip> > What is suspicious is:There could be an entirely innocent explanation for this. Lots of people were stockpiling SHA-1 certs during December 2015. Daily certificate issuance rates do vary. Indeed. Office Tel: +44.(0)1274.730505 Office Fax: +44.(0)1274.730909 www.comodo.com COMODO CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by COMODO for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. |
| Re: Incidents involving the CA WoSign | Gervase Markham | 07/09/16 09:04 | On 07/09/16 13:52, Rob Stradling wrote:Hi Rob, My digest of Thijs's work (and that of others investigating the same issues) is here: https://wiki.mozilla.org/CA:WoSign_Issues#Issue_S:_Backdated_SHA-1_Certs_.28January_2016.29 Is every conclusion I draw justified from the data? Gerv |
| Re: Incidents involving the CA WoSign | Gervase Markham | 07/09/16 09:04 | On 07/09/16 13:52, Rob Stradling wrote: > Hi Thijs. I agree that this pattern is interesting (and it'd be nice to |
| Re: Incidents involving the CA WoSign | dymu...@gmail.com | 07/09/16 10:43 | On Tuesday, September 6, 2016 at 10:10:44 PM UTC-4, Richard Wang wrote:
> ... we can't find the info what port is used, our CMS system just record this order is validated by website control validation method, not record the used port at that time. >My trust in this CA has dropped even more. Even if all non-standard port validations were otherwise issued correctly, it does not bode well that WoSign's system failed to record enough information in its logs. If people are manually looking through logs for suspicious certificates, we can never be sure that they caught them all, and there may be false positives as well. If the logs didn't store even the simple port information, what else isn't it storing? You say you'll do better in the future, but you have to be able to account for current and future bugs. In order to do that, you need accurate and verbose logs, or else a future vulnerability may be unable to be contained. |
| Re: Incidents involving the CA WoSign | Jozef Izso | 07/09/16 10:43 | Richard, why the report does not mention that the list of certs issued using high port validation is not complete and that you cannot properly find all the relevant information in your system?
|
| Re: Incidents involving the CA WoSign | Kurt Roeckx | 07/09/16 11:05 | On Wed, Sep 07, 2016 at 02:08:24PM +0200, Kurt Roeckx wrote:So here are 27 others: https://crt.sh/?serial=0d3bbdc3a0175e38f9d0070cd050986a&iCAID=1672 There is this weird combination: https://crt.sh/?id=12729072 https://crt.sh/?id=12728869 We also have: https://crt.sh/?id=9318242 https://crt.sh/?id=7841622 Kurt |
| unk...@googlegroups.com | 07/09/16 17:39 | <This message has been deleted.> | |
| Re: Incidents involving the CA WoSign | Rob Stradling | 08/09/16 03:40 | Hi Gerv. I'd like to discuss this particular conclusion:
"...up to ID 109149...But after that follow 64 certificates which are all dated on December 20, 2015 (CST, UTC+8). This suggests that these were logged at the actual time of issuance but that time is not reflected in their notBefore date - i.e. they were backdated." ID 109153 (https://crt.sh/?id=30629275) is the first such certificate, not 109150. Also, these 64 certificates were not logged consecutively. I've just posted details of the relevant range of log entries here: https://gist.github.com/robstradling/129729531779dab448ca88049c49307c These log entries were only created 5 or 6 days ago, and the majority don't have corresponding precertificates. Consider https://crt.sh/?id=30629293, for example. Are you really suggesting that this was issued on 2nd September 2016 but backdated to 20th December 2015? The entry timestamps up to ID 109221 are all very close together (several entries per second). We know that WoSign were at that time submitting all of the certs they issued in 2015, so this is not surprising. I think it's unreasonable to assume that WoSign attempted to log the certs they issued in 2015 in the order in which they were issued. I look forward to reading WoSign's response to Issue S. |
| Re: Incidents involving the CA WoSign | Gervase Markham | 08/09/16 06:12 | On 08/09/16 11:39, Rob Stradling wrote:For simplicity, I've removed this section from Issue S. I think the evidence related there stands alone without any log-number-related inferences. Gerv |
| Re: Incidents involving the CA WoSign | Ming | 08/09/16 09:01 | 在 2016年9月7日星期三 UTC+8下午6:08:33,Richard Wang写道:
> Hi Gerv, Kathleen and Richard,Richard,I check the top 10 e-commerce websites in China, ONLY suning.com and yhd.com are your subscribers; and ZERO of the top 5 cloud service companies in China use WoSign. I have reason to doubt the authenticity of the data you provided. there is the top 10 e-commerce websites in China: taobao.com jd.com tmall.com amazon.cn vip.com meituan.com suning.com dangdang.com jumei.com yhd.com the top 5 cloud service companies in China: aliyun.com qcloud.com qingcloud.com ucloud.cn hwclouds.com |
| Re: Incidents involving the CA WoSign | Vincent Lynch | 08/09/16 09:01 | Richard,
When you provide additional details about Issue P, can you specifically comment on why two of the certificates were issued for 4 years (48 months)? Section 6.3.2 of the BRs states "Subscriber Certificates issued after 1 April 2015 MUST have a Validity Period no greater than 39 months." That section DID allow for an exception to that 39 month maximum if the CA documents that the certificate is being used in a case that satisfies a set of 5 requirements (too lengthy to provide here). If this was the case, this would have been allowable until 30 June 2016 and these certificates' validity period would not be a violation. Can you comment on if these certificates satisfied the exception? And if so, can you provide WoSign's documentation of this? In my opinion, this is one of the more concerning violations because it may show that it is trivially easy for WoSign's issuance software to issue certificates that violate the BRs. (My understanding is that these certificates qualify as a Subscriber Certificate, the fact that the subject CN = wosign.net is irrelevant.) Citation: https://wiki.mozilla.org/CA:WoSign_Issues#Issue_P:_Use_of_SM2_Algorithm_.28Nov_2015.29 |
| Re: Incidents involving the CA WoSign | Jakob Bohm | 08/09/16 16:27 | Wait, are you saying the certificates themselves contain embedded SCT
entries dated after the notBefore date? If so, that would be cryptographic evidence that the certificates were signed after those SCT entries were generated. |
| Re: Incidents involving the CA WoSign | Kyle Hamilton | 09/09/16 03:21 | I do have to ask this, though: WoSign has at least one EV issuer. I do
not know if there is an issuer with EV permissions in NSS, but WoSign does have an EV code signing issuer in the Microsoft root program. Has this issuer been checked to ensure that it could not have misissued certificates? (Yes, it's probably out of scope for mozilla's process. However, it's still something I'm curious about.) Also, on #2: Will this audit apply to all WoSign issuers included in NSS, or just a single one? I count at least 4. And finally, where does this leave StartCom? Is there a need for inquiries regarding StartCom's operations? -Kyle H
> This discuss has been lasting two weeks, I think it is time to end it, it doesn’t worth to waste everybody’s precious time. > I make my confession that our system and management do have some problems which lead to the misissuance of some certificates. And I am very sorry that WoSign don’t notify all browsers after the incident happened and even after the problem fixed. |
| Re: Incidents involving the CA WoSign | Ming | 09/09/16 08:14 | Can you list the China top 10 e-commerce websites and the China top 5 cloud
service companies in WoSign's opinion? In this web page: https://www.wosign.com/english/Who_uses_wosign.htm, I only find yhd.com dangdang.com and suning.com are famous e-commerce websites in China. 2016-09-09 0:14 GMT+08:00 Richard Wang <ric...@wosign.com>: > Your top 10 or top 5 is not same as my top 10 or top 5. > BTW, > Dangdang.com is using our certificate: https://www.ssllabs.com/ > ssltest/analyze.html?d=login.dangdang.com&latest > > Some is also using our certificate that you don't know. > > > Regards, > > Richard > > > Richard,I check the top 10 e-commerce websites in China, ONLY |
| Re: Incidents involving the CA WoSign | Peter Bowen | 14/09/16 19:44 | On Sat, Sep 10, 2016 at 6:43 PM, Richard Wang <ric...@wosign.com> wrote:
> We will publish a more comprehensive report in the next several days that will attempt to cover most / all issues. > Thanks for your patience. Richard, Thank you in advance for working on a comprehensive report. I appreciate it takes signifiant time to research and write it. Do you expect to publish this week or will it be some time next week? Thanks, Peter |
| RE: Incidents involving the CA WoSign | Richard Wang | 14/09/16 20:58 | Today or tomorrow.
Now it is almost finished that someone is correcting my English. :-) Regards, Richard
|
| RE: Incidents involving the CA WoSign | Richard Wang | 16/09/16 03:07 | Hi Gerv,
This is the final report: https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf Please let me if you have any questions about the report, thanks.
Sent: Wednesday, September 7, 2016 7:00 PM Hi Richard, > This discuss has been lasting two weeks, I think it is time to end it, |
| Re: Incidents involving the CA WoSign | Han Yuwei | 16/09/16 06:33 | 在 2016年9月16日星期五 UTC+8下午6:07:56,Richard Wang写道:
About mis-issued alicdn.com and github.com, is the whitelist a acceptable solution? I thought it is a serve problem that possible hijacks on CA's validation host to the server. Lots of vulnerablity could be used by hackers such as DNS poisoning and TCP hijacks. This time the alicdn noticed this problem because it is a big company. If this happened to a relatively small company can we notice this in time? I am very doubt about that. Anything we can do to prevent this from happening? |
| Re: Incidents involving the CA WoSign | Vincent Lynch | 16/09/16 07:34 | On Friday, September 16, 2016 at 6:07:56 AM UTC-4, Richard Wang wrote:Hi Richard, Thank you for you and your team's hard work on the report. As an observer, I found it very informative. I do have a follow up question regarding Issue P. I'm curious as to why this test ever took place with publicly trusted certificates given that the SM2 algorithm is not allowed by the CA/B Forum. Say this test was "successful". Whats next? Since SM2 is not allowed, was WoSign planning on introducing a ballot to the CA/B Forum to approve SM2? Sincerely, Vincent |
| Re: Incidents involving the CA WoSign | Richard Wang | 16/09/16 07:39 | Thank you very much for helping us.
For SM2 algorithm, this is out of this thread, I can discuss with you off list. Regards, Richard |
| Re: Incidents involving the CA WoSign | Gervase Markham | 16/09/16 08:11 | Hi Richard,
Thank you for this. I will be looking at it in detail on Monday; of course, others are welcome to comment before then. Gerv |
| Re: Incidents involving the CA WoSign | Florian Weimer | 18/09/16 05:50 | * Richard Wang:
>> Thus, do you believe it was faithful and accurate for Management to >> warrant that the CA was operated in compliance with the BRs, given >> that Management was aware of incidents of non-compliance? > > This is my fault that I think it is not serious enough to state in > the assertion letter, now I know and every related employee know how > to do this in the future. Richard, do you think more precise communication from auditors could have helped to avoid the incorrect representation? Thanks, Florian |
| RE: Incidents involving the CA WoSign | Richard Wang | 19/09/16 02:54 | Hi Gerv,
For Issue R listed in Wiki, we released the news today: https://www.wosign.com/english/News/WoSign_completed_equity_investment_to_StartCom_CA.htm Best Regards, Richard Cc: mozilla-dev-s...@lists.mozilla.org Subject: RE: Incidents involving the CA WoSign Hi Gerv,
Best Regards, -----Original Message----- |
| Re: Incidents involving the CA WoSign | Peter Bowen | 19/09/16 07:30 | Richard,
I'm still somewhat confused. Can you review the following statements and either confirm they are true or specify they are not true and correct them? On 15 December 2015: 1) סטארט קומארשל בע"מ ("Start Commercial Limited" or StartCom IL) was a registered company in Israel. 2) 王高华 ("Gaohua Wang" or "Richard Wang") was the sole corporate director of Startcom IL. 3) Startcom CA Limited (Startcom UK) was a registered company in the United Kingdom. 4) Richard Wang was the sole corporate director of Startcom UK. 5) Startcom CA Limited (Startcom HK) was a registered company in Hong Kong. 6) Richard Wang was the sole corporate director of Startcom HK. 7) 沃通电子认证服务有限公司 (WoSign) was a registered company in China. 8) Richard Wang was the CEO of WoSign. 9) 100% of shares of Startcom IL were owned by Startcom UK. 10) 100% of shares of Startcom UK were owned by Startcom HK. 11) 100% of the shares of Startcom HK were owned by WoSign. On 1 September 2016: 1, 2, 3, 5, 6, 7, 8, 9, 10, and 11 were true 12) Richard Wang and Iñigo Barreira were only two corporate directors of Startcom UK. 13) WoSign had five share holders, in the following percentages: 25.61% Qihoo 360 Software (Beijing) Co., Ltd. 29.77% Beijing Qifutong Technology Co., Ltd. 28.62% Beijing Yuan Tu Technology Co., Ltd. 12.00% Gaohua Wang (an individual) 4.00% Ganfu Zhang (an individual) 14) Qihoo 360 Technology Co Ltd ("Qihoo 360") was a publicly traded company on the New York Stock Exchange, listed under the symbol QIHU 15) Qihoo 360 Software (Beijing) Co., Ltd. and Beijing Qifutong Technology Co., Ltd. were 100% controlled by Qihoo 360. 16) Beijing Yuan Tu Technology Co., Ltd. was 70% controlled by Qihoo 360. I hope these are reasonably easy to confirm or for you to correct if they are not true. Thanks, Peter |
| RE: Incidents involving the CA WoSign | Richard Wang | 19/09/16 17:25 | Your behavior let me think of a Chinese word "株连九族", means "to implicate the nine generations of a family", this is an extreme penalty in feudal times in China that if a man committed a crime, the whole clan that up to nine generation was implicated, all must be killed together.
Please refer to Bing dictionary: http://cn.bing.com/dict/search?q=%E6%A0%AA%E8%BF%9E%E4%B9%9D%E6%97%8F&qs=n&form=Z9LH5&pq=%E6%A0%AA%E8%BF%9E%E4%B9%9D%E6%97%8F&sc=1-4&sp=-1&sk=&cvid=0E897ABC8DD04BE09B182CB4EB71ED6A This case is WoSign problem, you found out all related subordinate companies and all related parent companies that up to nine generations! I think this is NOT the best practice in the modern law-respect society. To answer your question, I am sorry I don't know who is my shareholder's shareholder's shareholders, this is out of my job. Regards, Richard
Cc: Gervase Markham <ge...@mozilla.org>; mozilla-dev-s...@lists.mozilla.org |
| RE: Incidents involving the CA WoSign | Erwann Abalea | 19/09/16 18:04 | Bonsoir Richard,
This info should probably be added to the thread "WoSign's ownership of StartCom", and then Peter's complementary questions are legitimate ones, being in line with Mozilla's concerns. |
| Re: Incidents involving the CA WoSign | Nick Lamb | 19/09/16 18:06 | On Tuesday, 20 September 2016 01:25:59 UTC+1, Richard Wang wrote:It seems the governments of the European Union countries (including the UK where one of the mentioned companies is located) disagree with you about whether this is best practice. Identifying individual human persons behind a company is a key plank of their anti-money laundering and anti-tax evasion policies. To identify these human persons it is necessary to look through any number (even more than nine) of layers of corporate ownership. In the UK the legal term is Persons with Significant Control and PSC registration is mandatory since this summer, a company registered in the UK is obliged to figure out if there are such Persons and if so list them in its routine filings. Failing to properly investigate, or concealing the truth about control of the company is punishable by forfeiture, ie the state would seize the company's assets. |
| RE: Incidents involving the CA WoSign | Richard Wang | 19/09/16 18:53 | Thanks for your detail info.
No worry about this, all companies must be complied with local law. But I really don't care who is my company's shareholder's shareholder's shareholder, you need to find out this by yourself if you care. If you think Mozilla must require this, please add to the Mozilla policy that require all CA disclose its nine generation including all subordinate companies and all parent companies.
|
| Re: Incidents involving the CA WoSign | Peter Bowen | 19/09/16 19:18 | Richard,
As someone pointed out on Twitter this morning, it seems that the PSC notification for Startcom UK was filed recently: https://s3-eu-west-1.amazonaws.com/document-api-images-prod/docs/UdxHYAlFj6U9DNs6VBJdnIDv4IQAWd4YKYomMERO_2o/application-pdf Were you unaware of this filing? Additionally, companies that register to trade on the New York Stock Exchange have to file reports with the US Security and Exchange Commission. Qihoo 360 filed a report that included a list of their variable interest entities and Qihoo's percent of economic interest in each (https://www.sec.gov/Archives/edgar/data/1508913/000114420413022823/v341745_20f.htm page F-10). It also describes all the ways in which Qihoo 360 controls these entities, including assuring that Qihoo has decision making authority over the entities. I agree that Mozilla does not require reporting that multiple Root CAs are Affiliates. Perhaps it should. However, as you know, the CA/Browser Forum does require such. So I don't think it would be a stretch for Mozilla to do so. It is something that should probably be added to the 2.3 policy discussion. Thanks, Peter |
| RE: Incidents involving the CA WoSign | Richard Wang | 19/09/16 19:34 | Thanks for your pointing out one of the very important evidence for the transaction is NOT completed till yesterday that we released the news after it is finished at the first phase. We just finished the UK company investment.
For Qihoo 360, I don't know anything and I don’t have the right to do any comment. Sorry.
From: Peter Bowen [mailto:pzb...@gmail.com] |
| unk...@googlegroups.com | 19/09/16 23:06 | <This message has been deleted.> | |
| Re: [FORGED] Re: Incidents involving the CA WoSign | Peter Gutmann | 19/09/16 23:14 | Peter Bowen <pzb...@gmail.com> writes: >As someone pointed out on Twitter this morning, it seems that the PSC So if I'm reading that correctly, Startcom UK is majority- or entirely owned Peter. |
| Re: Incidents involving the CA WoSign | 谭晓生 | 20/09/16 00:23 | Dear All,
I’m Xiaosheng Tan, the Chief Security Officer of Qihoo 360, on the inquiry of the disclosure of Wosign deal, we are not obligated to disclose it under the SEC regulation, here is the reply from our internal lawyers: “While we were a public company listed on NYSE, we did not disclose WoSign as our subsidiaries as our reporting obligation only requires us to disclose our “significant subsidiaries” in SEC filings. The definition of “significant subsidiaries” is enclosed below. Since WoSign is not our significant subsidiary according to this definition, we are not legally required to disclose it in our SEC filings. In general, our reporting obligations follow a “materiality” standard under the United States Securities Exchange Act of 1934 and the NYSE Listed Company Manuel. Regulation S-X § 210.1-02 Significant subsidiary. The term significant subsidiary means a subsidiary, including its subsidiaries, which meets any of the following conditions: (1) The registrant's and its other subsidiaries' investments in and advances to the subsidiary exceed 10 percent of the total assets of the registrant and its subsidiaries consolidated as of the end of the most recently completed fiscal year (for a proposed combination between entities under common control, this condition is also met when the number of common shares exchanged or to be exchanged by the registrant exceeds 10 percent of its total common shares outstanding at the date the combination is initiated); or (2) The registrant's and its other subsidiaries' proportionate share of the total assets (after intercompany eliminations) of the subsidiary exceeds 10 percent of the total assets of the registrants and its subsidiaries consolidated as of the end of the most recently completed fiscal year; or (3) The registrant's and its other subsidiaries' equity in the income from continuing operations before income taxes, extraordinary items and cumulative effect of a change in accounting principle of the subsidiary exclusive of amounts attributable to any noncontrolling interests exceeds 10 percent of such income of the registrant and its subsidiaries consolidated for the most recently completed fiscal year. “ Even Richard is the CEO of Wosign, he is not authorized to do any comments to Qihoo 360 legally, thanks for the understanding. Thanks, Xiaosheng Xiaosheng Tan, Chief Security Officer Qihoo 360 E-Mail: tanxia...@360.cn Web: www.360.cn <http://www.360.cn/> Address: Bldg 2, 6 Haoyuan, Jiuxianqiao Rd, Chaoyang Dist, Beijing, China 100015 在 16/9/20 下午2:05,“dev-security-policy 代表 Percy”<dev-security-policy-bounces+tanxiaosheng=36...@lists.mozilla.org 代表 percy...@gmail.com> 写入: Considering that StartCom is hosted by Qihoo 360 https://pierrekim.github.io/blog/2016-02-16-why-i-stopped-using-startssl-because-of-qihoo-360.html and that you're the sole director of StartCom, it's hard for me to believe that you "don't know anything" about Qihoo 360.
> As someone pointed out on Twitter this morning, it seems that the PSC > Were you unaware of this filing?-- |
| Re: Incidents involving the CA WoSign | Gervase Markham | 20/09/16 02:26 | Hi Richard,
Particularly if each company is wholly owned by it's parent, it doesn't seem to me to be particularly important how many companies there are in the chain. Again, I would reiterate that no-one is suggesting that anything illegal has happened during the acquisition of StartCom by WoSign. Richard, according to the records you are a (or the only) director of all of the StartCom companies, and CEO and a shareholder in WoSign. I don't think these questions are about things outside your knowledge. Unless you have corrections to make to the conclusions Mozilla has drawn from the available company data (which are, in short, that all the statements listed by Peter are true) then we will continue to proceed with that view of the situation. Gerv |
| Re: Incidents involving the CA WoSign | Gervase Markham | 20/09/16 02:31 | Hello Xiaosheng,
Welcome to our discussion forum :-) It may help you to know that participants in this forum come from a wide range of backgrounds and companies, and the only ones who represent Mozilla are the ones listed here: http://wiki.mozilla.org/CA:Policy_Participants as doing so. To be totally clear: Mozilla is not suggesting that StartCom, WoSign or Qihoo 360 have done anything illegal. The questions we are asking about disclosure relate to Mozilla's policies on the topic (and perhaps to the CAB Forum voting rules), not to the SEC rules. Having said that, if the company structure is as we understand it to be, I am very surprised that your lawyers do not think that WoSign is a "significant subsidiary" of Qihoo 360 under SEC rules. But that is a matter for you and the SEC, not for us :-) Gerv |
| Re: Incidents involving the CA WoSign | Ryan Sleevi | 20/09/16 02:49 | On Monday, September 19, 2016 at 5:25:59 PM UTC-7, Richard Wang wrote:Richard, As it has been pointed out, StartCom has an obligation to disclose if ownership was changed, at least with respect to root program agreements. I would like to request that you answer the questions Peter poses, by pointing to any public documentation beyond statements by yourself, WoSign, or StartCom, that can provide a different picture than what Peter has reported. Without having clear, factual, and accurate documentation that StartCom is not wholly owned and operated by WoSign - which all evidence presented points clearly to that fact - then it's clear that any action taken, if any, must also apply to StartCom, as it represents the same set of organizational CAs and the same fundamental issues regarding trust. Unfortunately, it's unclear if you're intentionally misleading the community, or if you're tragically uninformed, but the documents in https://s3-eu-west-1.amazonaws.com/document-api-images-prod/docs/UdxHYAlFj6U9DNs6VBJdnIDv4IQAWd4YKYomMERO_2o/application-pdf fully support the conclusion that StartCom is wholly owned by WoSign, which itself is majority owned by Qihoo 360. While the latter is, perhaps, not relevant to the general topic of root program agreements, it is relevant in two important matters: 1) It supports the claim that Qihoo 360, WoSign, and StartCom may have acted improperly with respect to their membership in the CA/Browser Forum. This is a matter for the CA/Browser Forum to sort out. 2) It supports the claim that, by listing Qihoo 360 officers as Persons with Significant Control, that StartCom (UK), which wholly owns StartCom (IL), is itself wholly owned by StartCom (HK), which itself is wholly owned by WoSign (CN), which itself is majority owned by direct and indirect parties of Qihoo 360. That is, there's no evidence to suggest that these offers independently invested in any portion of StartCom or WoSign, and that their only legal reasoning for being noted as PSCs is due to their relationship to the 'parent' organization of Qihoo 360. Further relevant to this discussion is the date upon which these parties are listed as PSCs. The filing date - 14/9/2016 - does not itself have bearing on your claim that it was recently completed. 1) We can note that the date of confirmation was 24/8/2016 - which supports the claim that this was preexisting at the point this discussion began. Further, this is already part of the legally required annual confirmation statement. https://beta.companieshouse.gov.uk/company/09744347 shows this very clearly - that such reports happen on an annual basis and when they're due by, and when they're processed by. 2) The Persons with Significant Control are noted as becoming registerable on 06/04/2016. While one might naively believe this to have been in April (which would have obligated a StartCom disclosure at least that far back), if you examine the guidance in https://www.gov.uk/government/publications/guidance-to-the-people-with-significant-control-requirements-for-companies-and-limited-liability-partnerships - in particular, the summary guidance - page 4 makes it unambiguously clear that for existing companies, the PSCs' shall be noted as becoming registerable on 06/04/2016. To make it abundantly clear: All evidence points uncategorically and unquestionably to StartCom having been acquired by WoSign, and both parties failing to disclose this transition for over a year, despite repeated private and public requests for clarification and disclosure. Further, the statements by WoSign as characterizing this as an equity investment seem to be intentionally phrased in such a way to mislead the public and this community, which significantly undermines trust. I'm sure you're quite exhausted from this discussion, but it must be stated yet again: The goal is to ensure that any conclusions drawn have the full facts and evidence to support them. There is a preponderance of evidence suggesting that you have actively mislead this community, and this is the last opportunity to provide any form of evidence - not just statements - that support your claim. As this discussion has been ongoing - and you've been aware of it since February - it seems entirely reasonable to request that you reply within the next 48 hours. Barring that, at least some of us must conclude that you're actively attempting to evade root program requirements, actively misleading the community, and acting in a way counter to the public trust, and with all of the consequences that entails. |
| Re: Incidents involving the CA WoSign | Gervase Markham | 20/09/16 04:37 | Hi Richard, > Hi Gerv,Thank you for this report. I have a few follow-up questions: Issue H: Duplicate Serial Numbers --------------------------------- 1) You write: "Firstly 313 certificates and secondly 27 certificates were affected by a system bug with the serial number generation, generating a serial number starting with “0” in the first left position. The signing system had a bug that didn’t know how to deal with this kind of serial number." Can you explain a bit more how such a bug can lead to all the certificates having the same serial number? Issue S: Backdated SHA-1 Certs ------------------------------ 2) You say that you "found only 8 SHA-1 SSL certificates that were mis-issued after January 1st 2016 until June 28th 2016." Why did your searching end at June 28th? Have you looked at the rest of June, July and August? 3) You say you sent an email to all your staff at the end of December forbidding SHA-1 issuance. Does that mean the staff have control of whether a cert uses SHA-1 or not? Does WoSign employ certificate templates to make sure all appropriate fields are set correctly? If not, why not? If so, is the hash algorithm used something that employees can set or override? 4) All 64 of the certificates being considered here have a notBefore date of Sunday, 20th December 2015. Does that correctly reflect the date the certificates were created (to within a day)? (For this question, ignore the 2 certificates mis-issued to CompuTest via the StartEncrypt API.) If not, what is the technical reason for this back/forward dating? And can you please provide a list of the 64 certificates along with their actual dates of creation? Issue S, Category 1 These questions relate to your first category, the six certificates which were mis-issued due to a bug. 5) You say that the certificates were pre-signed, at some point before midnight on 31st December 2016, but then the process was stopped for payment or proof document problems. Is it WoSign's normal practice to sign certificates before payment has been received? Is it normal practice to sign certificates before all identity checks have been completed? 6) Taking as an example these two certs: https://crt.sh/?serial=6D24E483E27F55479C5C555B37745353 and their SHA-256 counterparts: https://crt.sh/?serial=31742a2b12809bfca04cffc050903837 On January 4th 2016, you CT-logged a SHA-1 pre-cert, got some SCTs from the CT server, and then (mistakenly) created the SHA-1 cert and stored it in your internal log. (Later, you uploaded it to CT as part of your batch upload.) On the same day, January 4th 2016, you also CT-logged a SHA-256 pre-cert, got some SCTs back from the CT server, and then created a SHA-256 cert, to send to the customer. These two processes seem very similar, so I would expect the certificate contents to be very similar. Why, then, does the SHA-1 cert have a notBefore of 2015-12-19, whereas the SHA-256 cert has a notBefore of 2016-01-04? 7) You say these certificates were misissued due to a bug. It seems that the effect of the bug was such that it incorrectly retained the SHA-1 pre-cert version of the cert (created before 2016-01-01), sent it to CT (on 4th Jan), received the SCTs, incorporated them into the cert, signed the cert using SHA-1 (after 2016-01-01), and then stored it in your internal systems? That seems like quite an extensive bug. 8) You say that the six certs in category 1 are all now revoked. When did you revoke them? If this was not at the time you discovered and fixed the bug which created them (around 18th January 2016), why not? I may have some more questions later, as I am still working through the report. However, I thought I'd give you a chance to get started on these ones :-) Thanks for any additional information you can provide, Gerv |
| Re: Incidents involving the CA WoSign | 谭晓生 | 20/09/16 08:32 | Dear Gerv and all,
Qihoo 360 is a company valued at USD$9.99B as it finished the privatization on July 15th 2016, we have invested in more than 200 companies across the world, Wosign is just a very small one and we even do not have any people sent to this company after the investment, the major businesses of Qihoo 360 are security software for consumer, we are the largest player of anti-virus software in China, No.2 search engine in China and one of the top gaming platform in China, No.1 PC browser in China, the total revenue is about USD$1.6B last year, that’s might help to understand that why the layers don’t think Wosign is a "significant subsidiary". 在 16/9/20 下午5:30,“Gervase Markham”<ge...@mozilla.org> 写入: |
| Re: Incidents involving the CA WoSign | 谭晓生 | 20/09/16 08:42 | While you are here, I hope you can answer a couple of questions.
1) Are the first three shareholders listed in the attached file the same companies as the "Qihoo 360 Software (Beijing) Co., Ltd.", "Beijing Qifutong Technology Co., Ltd.", and "Beijing Yuan Tu Technology Co., Ltd." entities listed in Qihoo 360 SEC reports as VIEs or subsidiaries of VIEs? [Xiaosheng]: Yes, they are. 2) Does Qihoo 360, a Qihoo 360 subsidiary, a Qihoo 360 VIE, or a Qihoo 360 VIE subsidiary, or a combination of those own or control a majority of shares in WoSign? [Xiaosheng]: Yes, the combination of those own 84% of shares in Wosign. Thanks, Peter
> > > On Tuesday, 20 September 2016 01:25:59 UTC+1, Richard Wang wrote: |
| Re: Incidents involving the CA WoSign | Kurt Roeckx | 20/09/16 08:45 | On 2016-09-20 17:31, 谭晓生 wrote:I don't know much about the CAB rules, but from what I understand of that is that Qihoo 360 has both a browser and a CA. Kurt |
| Re: Incidents involving the CA WoSign | 谭晓生 | 20/09/16 08:55 | Yes, you are correct, we also invested in Opera, but just a smaller share holders, not a majority one.
Thanks, Xiaosheng Tan Sent from 360 Q5 Mobile Phone ________________________________ 发件人: Kurt Roeckx <ku...@roeckx.be> 发送时间: 2016年9月20日 23:45 收件人: mozilla-dev-s...@lists.mozilla.org 主题: Re: Incidents involving the CA WoSign |
| Re: Incidents involving the CA WoSign | Erwann Abalea | 20/09/16 09:33 | Bonjour,
Qihoo 360 is already a CABForum member in the "Internet Browser Software Vendors" category. |
| Re: Incidents involving the CA WoSign | Peter Bowen | 20/09/16 10:00 | On Tue, Sep 20, 2016 at 8:41 AM, 谭晓生 <tanxia...@360.cn> wrote:To avoid anything coming up later, do any combination of these have interest in any other CAs? |
| Re: Incidents involving the CA WoSign | 谭晓生 | 20/09/16 19:14 | Dear Peter,
In terms of investments, the answer is that we do not have on going negotiations on investments/acquisitions with any CAs. In terms of partnership, as a security company, we are open to work with CAs, we can share some threat intelligence with CAs, for example, the stolen/abused digital certificates, and, as there are state standards for digital certificates of China, 360‘s browser could support the SM2/SM4 algorithm, we can work with CAs to issue the digital certificates that follow the China’s local standards/regulations. Thanks, Xiaosheng 在 16/9/21 上午1:00,“Peter Bowen”<pzb...@gmail.com> 写入: |
| RE: Incidents involving the CA WoSign | Richard Wang | 20/09/16 19:22 | " we even do not have any people sent to this company after the investment "This is true, WoSign still managed by WoSign team. And this rule is same as StartCom, StartCom is still managed by Eddy and new joined Inigo, there are no any Chinese employee in StartCom Israel, StartCom UK and StartCom Spain. Less change and more independent is the guarantee of continued success for the being invested company.
From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosi...@lists.mozilla.org] On Behalf Of 谭晓生 |
| Re: Incidents involving the CA WoSign | Gervase Markham | 21/09/16 02:17 | Hi Xiaosheng,
Well, if we were using a dictionary definition of "significant" as used in normal English conversation, that would make sense :-) However, the SEC's definition is not related to the size of the company compared to its parent, or related to whether the parent company's employees start running the subsidiary company, or whether the company's activities are supporting the parent's key business areas. The SEC cares about what percentage of the subsidiary company is owned or controlled by the parent. And 84%, which appears to be the correct figure here, is much more than the minimum thresholds set out in the part of the regulations you helpfully quoted. But again, this is for you and the SEC to sort out :-) Gerv |
| Re: Incidents involving the CA WoSign | Kurt Roeckx | 21/09/16 03:11 | I didn't read it like that, and that the assets they have in WoSign
should be more than 10% of the total assets. So that WoSign would be more than 10% of the USD$9.99B. Kurt |
| RE: Incidents involving the CA WoSign | Richard Wang | 21/09/16 03:13 | See below inline, thanks.
Hi Richard, 1) You write: "Firstly 313 certificates and secondly 27 certificates were affected by a system bug with the serial number generation, generating a serial number starting with “0” in the first left position. The signing system had a bug that didn’t know how to deal with this kind of serial number."----------------------- Richard: Please check the first 313 certificate serial is “56D1570DA645BF6B44C0A7077CC6769” and the second 27 certificate is “D3BBDC3A0175E38F9D0070CD050986A” that only 31 bytes. But our serial number rule is 32 bytes, so the real two serial number is “056D1570DA645BF6B44C0A7077CC6769” and “0D3BBDC3A0175E38F9D0070CD050986A” that the signing system has a bug that don’t know how to deal with this kind of serial and locked to use this same serial number to sign the certificate. Please notice the two case (313 and 27) happened in the same time that the first 313 certificate is issued by one intermediate CA in English, and the second 27 certificate is signed by another intermediate CA in Chinese. This is why two case, but we fix the bug, then no more happened. ----------------------
2) You say that you "found only 8 SHA-1 SSL certificates that were mis-issued after January 1st 2016 until June 28th 2016." Why did your searching end at June 28th? Have you looked at the rest of June, July and August?--------------------- Richard: I checked every system to make sure every procedure step has closed the SHA-1 option for SSL certificate at June 28th 2016 after we got report from Computest, there are another place in API can go to signing server that don’t go to SHA-1 blocking system first, this is a bug from the unused API code for StartEncrypt. So I can guarantee no more after that day. -------------------- ------------------- Richard: As I said in the report, after my email, the Buy website don’t accept SHA-1 request after Dec. 30th 2015. But due to some pending request in the system that ordered before Dec. 30th 2015, so the PKI system still allow to sign SHA-1, this is the problem, we have 3 systems: Buy – CMS – PKI. No anyone can change the setting since the certificate template setting is controlled by me only. ------------------- 4) All 64 of the certificates being considered here have a notBefore date of Sunday, 20th December 2015. Does that correctly reflect the date the certificates were created (to within a day)? (For this question, ignore the 2 certificates mis-issued to Computest via the StartEncrypt API.) If not, what is the technical reason for this back/forward dating? And can you please provide a list of the 64 certificates along with their actual dates of creation?------------------- Richard: For the 62 certificates, there are 22 certificates issued at 19th Dec, 40 certificates is issued at 20th Dec. 2015. I checked our system, Dec 20th is very normal day, we issued SHA-1 certificate at every day, just one day no SHA-1 cert. We provide 24 x 365 service for worldwide customers. Some SHA-1 certificate is free SSL certificate that no any reason for us to help them get the SHA-1 certificate if we are intentional, and some certificate is even never used or even not retrieved from our system, this also can be certified it is a normal order without any doubt. ------------------ ------------------- Richard: I think there are many reasons to stop to sign it due to double check, for EV order, it must pass at least 6 person’s check: The first one is this customer’s customer service executive that he/she is responsible for communicating for what proof document need, and check this customer’s document is missing and have distinct problem; the second person is the customer service team manager to check each order to try to find out each customer service team make any mistake that need to record to KPI; the 3rd person is the Validation Employee A view the order and proof document, the 4th person is the Validation Employee B double check and phone call verification, the 5th person is the PKI issuer that approve the order to PKI for signing, the 6th person is the financial casher to check if it is paid and responsible for upload the bank payment information screenshot to system as a very important proof document I describe it in the first report, the 7th person the next day reviewer from the validation team that it maybe involve more person that I described in the first report. Anyone can stop the order process if he/she find some problem. ----------------- ------------------- Richard: Not the case, only one simple bug from CT Post system. I try to say more clearly. https://crt.sh/?serial=6D24E483E27F55479C5C555B37745353 is ordered in 19th Dec. 2015, and system pre-signed the pre-cert using SHA-1, no any problem. But it is stopped due to some more check. At 4th Jan. 2016, this order finished the final check and go to signing server, signing server generated a new SHA-2 pre-cert to post to CT log server since SHA-1 is not allowed, and get SCT data to the certificate, this is the second certificate: https://crt.sh/?serial=31742a2b12809bfca04cffc050903837, also no any problem. The problem is the CT post system have a bug that posted the two related pre-cert to CT log server (SHA-1 pre-cert is the original one, and SHA-2 pre-cert is the new copied one), then get two certificates one signed with SHA-1 and one is SHA-2. We also posted the two issued certificates to CT log server later. -------------------- ------------------------- Richard: The six certificates are revoked after someone pointed it out in the email discussion, then we try to find out the reason and know that this is a bug from CT Post system, then we revoked the six certificate, some certificate is even not retrieved by customer, no any website used the SHA-1 certificate. This also certify that no any intentional possibility to sign SHA-1 to customers. This bug is fixed but it is no chance to function more case since BUY system blocked the SHA-1 order. ------------------------ |
| Re: Incidents involving the CA WoSign | Kurt Roeckx | 21/09/16 03:50 | On 2016-09-21 12:11, Richard Wang wrote:
> Please check the first 313 certificate serial is “56D1570DA645BF6B44C0A7077CC6769” and the second 27 certificate is “D3BBDC3A0175E38F9D0070CD050986A” that only 31 bytes. But our serial number rule is 32 bytes. This is a little misleading. The hex encoding is 31 / 32 characters. It's probably more useful to say that it has 128 bit, and you had a problem is the top 4 bits where all a 0. That's a rather weird failure mode. But it was perfectly able to sign it, it just didn't generate a new one. And I'm a little concerned that this failure mode can happen again. Why is the SHA-1 blocked at the Buy level and not at the PKI level? Kurt |
| Re: Incidents involving the CA WoSign | Gervase Markham | 21/09/16 04:08 | On 21/09/16 11:10, Kurt Roeckx wrote:Oops. You are right. My apologies! I thought the benchmark was the size of the subsidiary, not the size of the registrant. Anyway, as I said, no wrongdoing has been suggested by Mozilla. Gerv |
| Re: Incidents involving the CA WoSign | Peter Bowen | 21/09/16 04:50 | On Tue, Sep 20, 2016 at 12:23 AM, 谭晓生 <tanxia...@360.cn> wrote:I apologize if I implied that you were. I am sure that WoSign is too small of an interest to require disclosure.
While you are here, I hope you can answer a couple of questions. 2) Does Qihoo 360, a Qihoo 360 subsidiary, a Qihoo 360 VIE, or a QihooThanks, Peter
> 在 16/9/20 下午2:05,“dev-security-policy 代表 Percy”<dev-security-policy-bounces+tanxiaosheng=36...@lists.mozilla.org 代表 percy...@gmail.com> 写入: > > Best Regards, > > From: Peter Bowen [mailto:pzb...@gmail.com <javascript:;>] > > Subject: Re: Incidents involving the CA WoSign > > > Best Regards, > > > From: dev-security-policy > > > Subject: Re: Incidents involving the CA WoSign > > > On Tuesday, 20 September 2016 01:25:59 UTC+1, Richard Wang wrote: |
| RE: Incidents involving the CA WoSign | Richard Wang | 21/09/16 04:50 | See below inline, thanks.
From: Gervase Markham [mailto:ge...@mozilla.org] To: Richard Wang <ric...@wosign.com<mailto:richard@wosign.com>> Hi Richard,Richard: please check the first 313 certificate serial is “56D1570DA645BF6B44C0A7077CC6769” and the second 27 certificate is “D3BBDC3A0175E38F9D0070CD050986A” that only 31 bytes. But our serial number rule is 32 bytes, so the real two serial number is “056D1570DA645BF6B44C0A7077CC6769” and “0D3BBDC3A0175E38F9D0070CD050986A” that the signing system has a bug that don’t know how to deal with this kind of serial and locked to use this same serial number to sign the certificate.
3) You say you sent an email to all your staff at the end of December forbidding SHA-1 issuance. Does that mean the staff have control of whether a cert uses SHA-1 or not? Does WoSign employ certificate templates to make sure all appropriate fields are set correctly? If not, why not? If so, is the hash algorithm used something that employees can set or override?Richard: as I said in the report, after my email, the Buy website don’t accept SHA-1 request after Dec. 30th 2015. But due to some pending request in the system that ordered before Dec. 30th 2015, so the PKI system still allow to sign SHA-1, this is the problem, we have 3 systems: Buy – CMS – PKI. No anyone can change the setting since the certificate template setting is controlled by me only. ------------------- 4) All 64 of the certificates being considered here have a notBefore date of Sunday, 20th December 2015. Does that correctly reflect the date the certificates were created (to within a day)? (For this question, ignore the 2 certificates mis-issued to CompuTest via the StartEncrypt API.) Here is the statistics for the last two weeks SSL certificate issuance in 2015. [cid:image001.png@01D21431.B2C05D70] Richard: Not the case, only one simple bug from CT Post system. I try to say more clear. Richard: the six certificates are revoked after someone pointed it out in the email discussion, then we try to find out the reason and know that this is a bug from CT Post system, then we revoked the six certificate, some certificate is even not retrieved by customer, no any website used the SHA-1 certificate. This also certify that no any intentional possibility to sign SHA-1 to customers. This bug is fixed but it is no chance to function more case since BUY system blocked the SHA-1 order. |
| Re: Incidents involving the CA WoSign | watso...@gmail.com | 21/09/16 04:50 | On Tuesday, September 20, 2016 at 8:32:12 AM UTC-7, 谭晓生 wrote:During the due diligence process were you aware that WoSign was under an obligation to inform Mozilla about any change of control or ownership? Were you aware that WoSign had completed an acquisition of a CA and not informed Mozilla of the change of control then? Sincerely, Watson Ladd |
| Re: Incidents involving the CA WoSign | Gervase Markham | 21/09/16 06:19 | Hi Richard,
Thanks for the additional information. I have examined the spreadsheet you sent (note: may not be available to mozilla.dev.security.policy participants due to lack of attachment support). The "Categrory 4 - 3: 12 Normal FREE DV SSL Certificates" contains 12 certificates, which have no cost associated with them, and no identity vetting other than domain control. Why did each of these take over a month, and in some cases nearly 4 months, to be issued? What was the hold-up? Yes, indeed. But at what point during these checks do the following events happen? A) Pre-cert is created and signed (if needed) B) Pre-cert is sent to CT (if needed) C) Real cert is created and signed D) Cert is sent to the customer I would expect none of these things to happen until all checks are completed. We know from previous conversations that your step 7 (next day review) happens after C) and D). Where do those four events fit into your seven steps, exactly? But that's not how CT works. You don't sent the CT server a pre-cert and get a cert back. You send it a pre-cert, and it sends SCTs back. You then need to get those SCTs, incorporate them into a new certificate which has the SCTs but not the poison extension, and then sign that using your signing server, and then store it in your database. All that happened by mistake, due to a single bug? You stored the certificate in your system for a number of months because you still had it in September when you uploaded it to CT. So you discovered the bug in January and fixed it, but did not look to see if it had led to any misissued certificates until the bug was discussed in August/September? Gerv |
| RE: Incidents involving the CA WoSign | Richard Wang | 21/09/16 07:28 | Hi Gerv,
See below inline, thanks.
Hi Richard,------------- R: You can place order there and don't do the domain validation, 4 months later, you finished the domain control validation, then issue the certificate. Please try it by yourself here: https://buy.wosign.com/free/ -------------- > I think there are many reasons to stop to sign it due to double check,----------------------------- R: not of all. The process is stopped after pre-signed the cert but not post to CT log server. ----------------------------- > Not the case, only one simple bug from CT Post system. I try to say---------------------------------------------------------- R: let me try to draw a work flow: 1) SHA-1 cert request at Dec 19th 2015, system pre-signed it as "Pre-cert A" in our database, this order is in pending issuance status; 2) but this order is reviewed and stopped to move forward by some reason; so this order still in pending status; 3) at Jan 4th 2016, this order is released to move forward. But today is Jan 4th that SHA-1 cert is forbidden, so the signing server sign the same CSR again using SHA-2 to be "Pre-cert B"; 4) then the CT Post system posted the two pre-cert into CT log server since this two pre-cert is in one order record, this is the bug, it must post the Pre-cert B to CT log server, not Pre-cert A, but it posted both; 5) the two pre-cert get SCT data, back to signing server, the signing server signed the two cert out: one is SHA-1 with notBefore Dec 19th 2015, one is SHA-2 with notBefore Jan 4th 2016; 6) this means the original order copied to two orders in system with two signed certificate. The interesting thing is customer just retrieve the SHA-2 cert and installed it in his website. We don't know this bug till someone expose this in the email discussion since we issued few EV SSL certificate. So only 6 cases happened in this bug. Sure, we fixed the bug and revoked the six SHA-1 certificate. But this bug can't bring more harm since BUY system stop to accept SHA-1 order since Dec 30th, 2015. This bug only happened in the SHA-1 to SHA-2 transitional period. In our case, till Jan. 18, no more happened since no more SHA-1 order placed in 2015. ----------------------------------------------- ------------------------------ R: see above, we don’t know this bug that mis-issued 6 SHA-1 certs. ------------------------------ Gerv |
| Re: Incidents involving the CA WoSign | Gervase Markham | 21/09/16 07:55 | On 24/08/16 14:08, Gervase Markham wrote:
> Several incidents have come to our attention involving the CA "WoSign". > Mozilla is considering what action it should take in response to these > incidents. I have recently updated https://wiki.mozilla.org/CA:WoSign_Issues to draw some conclusions for some of the issues, so I wanted to re-draw the group's attention to this document. Investigations are continuing, however, and this is not the last word on some of the matters listed. Gerv |
| Re: Incidents involving the CA WoSign | Kurt Roeckx | 21/09/16 07:56 | On 2016-09-21 16:26, Richard Wang wrote:So the date in the certificate is from when the order was placed? This seems to contradict other things that have been stated, including why for instance issue F happens. Kurt |
| Re: Incidents involving the CA WoSign | Richard Wang | 21/09/16 08:08 | Not this case.
Gerv ask why the order is placed at Aug. 12th 2015, why it is issued at Dec. 20th 2015, since he finished the domain validation at Dec 20th. Best Regards, Richard _______________________________________________ dev-security-policy mailing list dev-secur...@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy |
| Re: Incidents involving the CA WoSign | Peter Bowen | 21/09/16 20:37 | Richard,
I'm having a really hard time reconciling what you describe with what is found in the CT logs and what I observed today when doing as you suggested and getting a cert from https://buy.wosign.com/free/. I pulled all the WoSign certificates from CT logs that have embedded SCTs. There are 40418 such certificates (as of a few days ago), of which 898 are EV certificates. For the EV certificates, other than the six that were raised as potentially being backdated, the delta between the notBefore date and the earliest SCT embedded in the certificate ranged from 1130.54 to 9949.10 seconds. 890 of the 898 EV certificates had a delta under one hour. When looking at the full set of 40418, the delta ranges from 1128.91 to 182896.75 seconds. All the certificates with a delta greater than 10000 seconds have a notBefore date of 2016-07-29, again with the exception of the six certificates Gerv raised. Are you saying out of over 40,000 orders over the last year, only six "stopped to move forward" for a period of a week or more and these happen to all have been ordered on Sunday, December 20, 2015 (China time)? I also would like to get your feedback on the timeline I observed today when I get a certificate at the site you suggested. Here is what I observed (ordered by time): 2015-09-21 15:31 UTC Order created 2015-09-21 19:58 UTC Domain Validated 2015-09-21 20:05 UTC Uploaded CSR (sorry, failed to log time, approximate time) State moved to "Pending" (shortly after uploading CSR) 2016-09-21 23:10:42 UTC Certificate NotBefore 2016-09-21 23:36:32 UTC Log SCT (using precertificate) 2016-09-21 23:36:33 UTC Log SCT (using precertificate) 2016-09-21 23:36:33 UTC Log SCT (using precertificate) 2016-09-21 23:36:35 UTC WoSign Log SCT (using precertificate) 2016-09-21 23:37:08 UTC Date header on Certificate ready for collection email Mail received headers: 23:37:13 (by mta1.wosign.com), 23:37:44 (by mx.google.com). It would appear that the NotBefore was not set until after I completed validation, uploaded a CSR, and the order passed other (possibly human) checks. From that point it was less than half an hour until I had my certificate. Is this the behaviour you expect to see? Thanks, Peter
> R: You can place order there and don't do the domain validation, 4 months later, you finished the domain control validation, then issue the certificate. Please try it by yourself here: https://buy.wosign.com/free/ > _______________________________________________> https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________> https://lists.mozilla.org/listinfo/dev-security-policy |
| RE: Incidents involving the CA WoSign | Richard Wang | 21/09/16 20:57 | Thanks for your good test to have an experience to know more how we work.
What I told Gerv that you can place an order at our site today -- Sept. 22nd 2016, but DON'T do the domain validation, leave it here. Four months later, you login your account to finish the domain validation, then system will post to CT log server to get SCT data, then the cert issued data is Jan 22nd 2017, the cert notBefore is Jan 22nd 2017. But the order data in our system is Sept 22nd 2016. This is for explanation that Gerv ask why the order time is four month ago- Aug 15th, but the notBefore (the issuance day) is Dec. 20th for a free DV SSL certificate that take so long time. I wish I said this clearly, thanks. Best Regards, Richard
|
| RE: Incidents involving the CA WoSign | Richard Wang | 21/09/16 21:12 | > Are you saying out of over 40,000 orders over the last year, only six "stopped to move forward" for a period of a week or more and these happen to all have been ordered on Sunday, December 20, 2015 (China time)?You mean we issued 40,000 certificates at Dec 20, 2015? Here is the last two weeks in 2015 issued SSL certificates statistics that I send it to Gerv: WEEK FRI SAT SUN MON TUE WED THU FRI SAT SUN MON TUE WED THU Dec. 2015 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Issued No 419 321 278 348 746 463 407 424 294 257 424 380 506 344 SHA-1 Cert 39 24 46 18 43 29 31 25 3 0 29 31 37 13 SHA-2 Cert 380 297 232 330 703 434 376 399 291 257 395 349 469 331 We issued SHA-1 certificate at every day, Dec 20 is not a special day, why you care about this day is Computest get the SHA-1 certificate used this date that we still don't know how he get this, so we closed this API completely, even deleted the API domain resolution. Best Regards, Richard |
| Re: Incidents involving the CA WoSign | Peter Bowen | 21/09/16 21:32 | On Wed, Sep 21, 2016 at 9:10 PM, Richard Wang <ric...@wosign.com> wrote:No, there slightly over 40418 certificates issued by CAs under the WoSign roots which have embedded Signed Certificate Timestamps. They were issued over the course of approximately one year; the earliest notBefore date is 2015-08-20T09:40:48Z and my CT data set was up to date as of 2015-09-05. Of these 40418 certificates, 40394 had a delta between notBefore and the earliest SCT is less than 3 hours. Eighteen certificates have a delta between 5 hours and 51 hours; all 18 of these have a notBefore on 2016-07-30 between 05:20 and 07:40 (CST). The remaining 6 certificates have a delta of between 262.3 hours (10.9 days) and 693.7 hours (28.9 days). All six of these have a notBefore on 2015-12-20 (CST). For with it is worth, the largest difference between the earliest embedded timestamp and the latest is less than 15 minutes in all certificates. I'm looking at all WoSign issued certificates, ignoring the hash algorithm used in the signature. Two dates have certificates that are clear outliers when measuring the difference between notBefore and the timestamps. I'm wondering what is special about these dates or these certificates. Thanks, Peter |
| RE: Incidents involving the CA WoSign | Richard Wang | 21/09/16 22:51 | For security, the notBefore time is not the exact time of signing, random from 20 minutes to 40 minutes ahead.
For 6 long delta time, we said it is a CT Post System bug; For 2016-07-30 between 05:20 and 07:40 (CST), it is caused by the Internet connection problem from China to Google CT log server that need to resign after the internet connection is ok. For normal case, it is OK, good. Thanks. Best Regards, Richard
Cc: Gervase Markham <ge...@mozilla.org>; mozilla-dev-s...@lists.mozilla.org |
| RE: Incidents involving the CA WoSign | Richard Wang | 21/09/16 23:52 | Sorry, the random apart time is from 20 minutes to 60 minutes, not to 40 minutes.
|
| RE: Incidents involving the CA WoSign | Richard Wang | 22/09/16 23:57 | Hi Gerv,
This is the final statement about the incident: https://www.wosign.com/report/WoSign_final_statement_09232016.pdf (in English) https://www.wosign.com/report/WoSign_final_statement_CN_09232016.pdf (中文版) (In Chinese, this is easy for Chinese users.) I think this is the supplement of the two released reports. Please let me if you have any questions about this statement, thanks. Best Regards, Richard Wang CEO WoSign CA Limited
Sent: Friday, September 16, 2016 6:05 PM Cc: mozilla-dev-s...@lists.mozilla.org Hi Gerv,Best Regards, Richard Wang CEO WoSign CA Limited Hi Richard, On 07/09/16 11:06, Richard Wang wrote: > This discuss has been lasting two weeks, I think it is time to end it, > it doesn’t worth to waste everybody’s precious time. Unfortunately, I think we may be only beginning. I have prepared a list of the issues we are tracking with WoSign's certificate issuance process and business: https://wiki.mozilla.org/CA:WoSign_Issues Please can you provide a response to issues F, P, S and T at your earliest convenience? In addition, if you have further things to say about issues D, H, J, L, N or V we would be happy to hear them. Thank you for your suggestions, but once Mozilla has a full understanding of what has gone on we will be in a better position to decide what next actions are appropriate. With best wishes, Gerv |
| unk...@googlegroups.com | 23/09/16 00:41 | <This message has been deleted.> | |
| unk...@googlegroups.com | 23/09/16 00:57 | <This message has been deleted.> | |
| Re: Incidents involving the CA WoSign | Gervase Markham | 23/09/16 02:37 | On 23/09/16 07:55, Richard Wang wrote:Thank you. Gerv |
| Re: Incidents involving the CA WoSign | Han Yuwei | 23/09/16 03:44 | 在 2016年9月23日星期五 UTC+8下午3:57:12,Percy写道:
> WoSign stated in the report that "Due to foreign companies to China's > technology blockade, WoSign decided to research and develop all systems by > ourselves in 2009, including BUY system (Online certificate store), CMS > (Certificate Management System, internal work flow), PKI/CA (Certificate > issuing system), CRL/OCSP (Certificate revocation query system) and TSA > (time stamp system). " > I'm assuming WoSign is referring to other companies operating CAs. Perhaps > WoSign can clarify what those companies are and the nature of such > blockade. > > WoSign also stated that "WoSign agrees that this is a violation of the BRs > (only three US NIST P-256, P-384, or P-521 curves can be used for elliptic > curve keys in certs), but being a Chinese licensed CA, we must abide by > local laws and regulations, we must actively cooperate with domestic > browsers to test the SSL certificate using SM2 algorithm issued by a global > trusted root in the real Internet, not intranet. > > WoSign, as a member of CAB Forum, will spare no effort to continue to > promote China encryption algorithm SM2 to become the international standard > allowed algorithm." > > > It seems that WoSign is committed to test certificates in a global trusted > root depesite explicit warning of not doing so even now. I see no > Chinese law mandating the insurance of SM2 certificates or forbidding the > insurance of certificate with standard curves. It's unclear to me why > WoSign insisted on testing SM2 with publicly trusted root. If WoSign is > claiming Chinese law mandate such testing/deployment, please refer to such > laws here and perhaps the community can take the local law into account. If > however no such law exists, as far as I know, the such commitment to BR > violation is not acceptable. > > On Friday, September 23, 2016, Percy <percy...@gmail.com> wrote: > > > Richard, > > On behalf of most Chinese Internet users who do not speak English, I'm > > asking why WoSign is only making the final statement available in Chinese, > > but not the incident report. WoSign doesn't even have any statement, > > announcement or press release in Chinese regarding any of the incidents > > (except this final statement) anywhere. > > > > As WoSign is the largest CA in China, it must be responsible to Chinese > > users. I'm requesting WoSign to make the incident report available in > > Chinese and available on the WoSign's Chinese site. I believe an > > announcement on the official Chinese site with the link to the incident > > report is also warranted. > > > > On Thursday, September 22, 2016, Richard Wang <ric...@wosign.com > > <javascript:;>> wrote: > > > > > Hi Gerv, > > >> > > dev-secur...@lists.mozilla.org <javascript:;> <javascript:;> > > > https://lists.mozilla.org/listinfo/dev-security-policy > > > > > > > > > -- > > > > > -- http://www.oscca.gov.cn/Column/Column_32.htm |
| Re: Incidents involving the CA WoSign | Han Yuwei | 23/09/16 03:49 | 在 2016年9月23日星期五 UTC+8下午6:44:29,Han Yuwei写道:
If anybody want a English version of laws & regulations, Percy and I may help. |
| Re: Incidents involving the CA WoSign | Gervase Markham | 23/09/16 03:56 | On 23/09/16 11:49, Han Yuwei wrote:No-one is denying that SM2 may be a Chinese government standard. What we are saying is the fact that it's a standard does not compel WoSign to issue certificates using it from their publicly-trusted roots. Gerv |
| RE: Incidents involving the CA WoSign | Richard Wang | 23/09/16 04:40 | Hi Gerv,
Please check this news (Feb 25th 2015) in OSCCA website: http://www.oscca.gov.cn/News/201312/News_1254.htm that all China licensed CA finished the PKI/CA system upgrade that all licensed CA MUST be able to issue SM2 certificate to subscribers. As I said in last year CABF face to face meeting in Switzerland, WebTrust is USA standard, ESTI is Europe standard, I think China have its own standard also. This a problem for global CA that have business in worldwide countries that maybe need to setup many roots to manage for complying with different standard. We know issuing SM2 cert is not complied with BR, but you can treat it as "compelled" by regulations, so we need to test the gateway installed RSA certificate and SM2 certificate in the public Internet, to test the auto-negotiation from browser to gateway, if the browser like Firefox don't support SM2, then the gateway will use RSA certificate for communication, if the browser like 360 browser that support SM2, then use SM2 certificate. We revoked the SM2 certificate after finishing the test. Regards, Richard
_______________________________________________https://lists.mozilla.org/listinfo/dev-security-policy |
| Re: Incidents involving the CA WoSign | Kurt Roeckx | 23/09/16 05:13 | On 2016-09-23 13:38, Richard Wang wrote:There seem to be several governments that define their own standard, like GOST in Russia, SEED in South Korea, and the SM2/SM3/SM4 in China. I guess you could also see AES as a USA standard and Camellia as a Japanese standard. Internationally we do not want to support all such standards, which is why we select some. I think this selection is mostly based on the trust that there is in that algorithm based on international review of them. The only suggestion I have is that if the government requires you to use those algorithm for certain certificates that you use a separate CA root for that. Kurt |
| Re: Incidents involving the CA WoSign | Jakob Bohm | 23/09/16 06:33 | On 23/09/2016 14:12, Kurt Roeckx wrote:I think in this case SM2 should be compared to the NIST curves, whose design was not reviewed by anyone from outside NIST/NSA. Outside the CA/B forum, there seems to be growing support for other curves such as the BrainPool curves and the Ed25519 curve. Such artificial fragmentation reduces algorithm and curve agility in the worldwide Internet, increasing the risk that the only "permitted" algorithms are all broken before replacements become "permitted". having a specific BR rule banning any curve except 3 curves from a single government project in a single country certainly looks like a very bad idea. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded |
| Re: Incidents involving the CA WoSign | Gervase Markham | 23/09/16 06:42 | On 23/09/16 12:38, Richard Wang wrote:I have only Google Translate to go on, but I can't see how that announcement says that all licensed CAs MUST issue SM2 certificates to subscribers from their _publicly-trusted_ roots. As you know, you can install additional root certificates in any browser for testing purposes. WebTrust is not a USA standard; it would be better to describe it as an everywhere-but-Europe standard - and I believe even some European CAs have WebTrust audits. But anyway, this is nothing to do with audit standards and WebTrust vs. ETSI, this is to do with the Baseline Requirements, which are a global standard for trust in the Web PKI. There is a mechanism in the BRs (section 9.16.3) for a CA to explain that they have been compelled by local law to do something violating the BRs. They can then document it and do it, as long as the CAB Forum is notified. That did not happen in this case. I'm fairly sure you know about this section because we've just passed a ballot amending it (which you voted in favour of), and we've debated it several times. Gerv |
| Re: Incidents involving the CA WoSign | Rob Stradling | 04/10/16 04:41 | Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates
that we'd issued to WoSign: https://crt.sh/?id=3223853 https://crt.sh/?id=12716343 https://crt.sh/?id=12716433 See also: https://bugzilla.mozilla.org/show_bug.cgi?id=906611#c2 On 06/09/16 11:11, Rob Stradling wrote: > Hi Peter. Since you mentioned Comodo's cross-certification of the > "Certification Authority of WoSign" root, we thought we should respond... > > On 05/09/16 23:58, Peter Bowen wrote: > <snip> >> Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority >> of WoSign by /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST >> Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC expiring >> 2019-06-24T19:06:30Z > > This cross-certificate [1] is currently unexpired and unrevoked. However... > > The "UTN - DATACorp SGC" root was removed from NSS last year [2]. > > "UTN - DATACorp SGC" was also cross-certified by the "AddTrust External > CA Root" root [3], but we revoked the cross-certificates in December > 2015, invited Mozilla to add them to OneCRL [4] and disclosed them as > revoked to Salesforce [5]. (I don't know why Mozilla haven't yet added > these to OneCRL. A few weeks ago I marked Bug 1233408 as blocking Bug > 1155095 in the hope that it would get noticed!) > >> Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority >> of WoSign by /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST >> Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Object expiring >> 2019-07-09T18:40:36Z > > These two cross-certificates [6] are currently unexpired and unrevoked. > However... > > The "UTN-USERFirst-Object" root is only enabled for the Code Signing > trust bit in NSS, which AIUI has been effectively dead for about a year [7]. > > There are 2 cross-certs (currently unconstrained and unrevoked) issued > by "AddTrust External CA Root" to "UTN-USERFirst-Object" [8]. However, > the cross-certs issued to WoSign [6] are EKU-constrained to Code Signing > / Time Stamping. > > <snip> >> 1) Should any action be taken against the operators of these CAs due >> to the incidents listed? >> >> My view is that the correct answer is "no, unless it is demonstrated >> that the CA operator had knowledge of undisclosed incidents", > > Comodo only learned of these incidents after they had been publicly > disclosed. > > <snip> >> 2) If Mozilla decides to take action that results in WoSign no longer >> being directly trusted, do those CAs with unrevoked unexpired >> cross-signs bear responsibility for any future mis-issuance by WoSign? > > Comodo will continue to work to ensure that Mozilla's trust decisions > are respected. > > > [1] https://crt.sh/?id=3223853 > > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1208461 > > [3] https://crt.sh/?q=UTN+-+DATACorp+SGC&iCAID=1 > > [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1233408 > > [5] https://crt.sh/mozilla-disclosures#revoked > > [6] https://crt.sh/?q=Certification+Authority+of+WoSign&iCAID=1395 > > [7] > https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg02409.html > > [8] https://crt.sh/?q=UTN-USERFirst-Object&iCAID=1 -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online |
| unk...@googlegroups.com | 04/10/16 13:14 | <This message has been deleted.> | |
| Re: Incidents involving the CA WoSign | Kurt Roeckx | 04/10/16 13:43 | On Tue, Oct 04, 2016 at 01:14:45PM -0700, Percy wrote:
> On Tuesday, October 4, 2016 at 4:41:18 AM UTC-7, Rob Stradling wrote:> Does this mean all end entity certs chained to them are blocked immediately? It means that some of the alternative chains that can be used to validate the chain will no longer work. Depending on the root store this might mean the end entity cert can or can't be validated anymore. As I understand this, it currently doesn't have any impact on things using the (default) Mozilla root store, but it might have if the StartCom and Wosign roots were removed. I can't remember if there were other cross signatutures. Kurt |
| Re: Incidents involving the CA WoSign | Peter Gutmann | 05/10/16 06:10 | Rob Stradling <rob.st...@comodo.com> writes: >Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates that This allows us to examine the modern Internet variant of an old philosophical Peter. |
| Re: Incidents involving the CA WoSign | Rob Stradling | 05/10/16 06:28 | Easy. It doesn't make a sound. Unrevoked certificates don't make
sounds either. |
| Re: Incidents involving the CA WoSign | Peter Gutmann | 05/10/16 06:31 | Rob Stradling <rob.st...@comodo.com> writes: >Easy. It doesn't make a sound. Unrevoked certificates don't make sounds What I was really asking, in a tongue-in-cheek way, was whether there was any Peter. |
| Re: Incidents involving the CA WoSign | okaphone....@gmail.com | 05/10/16 09:20 | > >Easy. It doesn't make a sound. Unrevoked certificates don't make soundsGood question. Regardless of the answer, information that doesn't exist cannot be propagated at all. So revoking seems te be a start... and a statement. I'd say it does make a sound. ;-) CU Hans |
| Re: Incidents involving the CA WoSign | Michael Ströder | 05/10/16 12:15 | Since the heroic Mozilla devs removed CRL support from Firefox, nope.
Ciao, Michael. |
| Re: Incidents involving the CA WoSign | Kurt Roeckx | 05/10/16 13:19 | On Wed, Oct 05, 2016 at 01:30:37PM +0000, Peter Gutmann wrote:This is why browsers have something like OneCRL, so that they actually do know about it and why Rob added that information to the bug tracker (https://bugzilla.mozilla.org/show_bug.cgi?id=906611#c2). I'm just wondering if that was the correct bug to report this on and that he shouldn't have opened a new one. Anyway, Rob wrote there: > I think the combination of other measures previously taken (the > removal of the "UTN - DATACorp SGC" root certificate, the > revocation/blacklisting of the cross-certificates issued to "UTN - > DATACorp SGC", and the technical constraints in these 3 > cross-certificates issued to WoSign) should mean that these 3 > cross-certificates are already not trusted by Mozilla users. Kurt |
| OneCRL and Common CA Database (Salesforce) | Kathleen Wilson | 05/10/16 14:29 | On Wednesday, October 5, 2016 at 1:19:35 PM UTC-7, Kurt Roeckx wrote:We are working on code/process for taking the Revoked Intermediate Cert data from Salesforce and updating OneCRL (with a manual approval step). So, in the near future the process will be for CAs to update Salesforce when one of their intermediate certs has been revoked. Then this information will get propagated into OneCRL. And we won't need a Bugzilla bug filed to add a revoked intermediate cert to OneCRL. It is my understanding that we will be able to add the revoked intermediate cert data that is currently in Salesforce to OneCRL within the next week or so. Rob also added the data to Salesforce. After I have confirmed that the revoked intermediate cert data that is currently in Salesforce has been added to OneCRL, I will go through all of the open bugs in the dependency list of #1155095 (bug for tracking OneCRL blocklist entries), to make sure they all get addressed/closed. Kathleen |
| Re: Incidents involving the CA WoSign | Man Ho (Certizen) | 05/10/16 18:56 | It is an interesting aspect that the Mozilla community has not discussed
thoroughly, or at all. Cross-signing a third party intermediate cert is equivalent to sharing of trust, that any CA should only consider it with extreme care. Is it possibly know how many intermediate cert that is cross-signed by Comodo? Is there any Comodo's practice statement of cross-signing ? Comodo seems to be quite keen on this kind of business even after the lesson learn from its last incident in 2011 (https://blog.mozilla.org/security/2011/03/25/comodo-certificate-issue-follow-up/). |
| Re: Incidents involving the CA WoSign | Peter Bowen | 05/10/16 19:49 | On Wed, Oct 5, 2016 at 6:55 PM, Man Ho (Certizen) <ma...@certizen.com> wrote:I think the community has discussed cross-signing both in this discussion and in the broader discussion of the trust graph. https://wiki.mozilla.org/CA:WoSign_Issues#Cross_Signing lists all the known cross-signs of WoSign. https://wiki.mozilla.org/CA:SubordinateCAcerts provides info on all subordinate (including cross-signed) CAs for each root in the Mozilla program. Rob Stradling of Comodo combined this with certificate transparency information to generate https://crt.sh/mozilla-disclosures. As for Comodo, they have published https://secure.comodo.com/products/publiclyDisclosedSubCACerts for a while now. It shows which subordinates are operated by Comodo and which are independently operated. The next step for Mozilla is to determine how to handle the 285 CA certificates not disclosed in the Mozilla SF system and the 80 that are under disclosed. Thanks, Peter |
| Re: Incidents involving the CA WoSign | Man Ho (Certizen) | 06/10/16 07:45 | Thank you for putting all information in one place. At the moment, they are pieces of disclosure records only but that's good to work on it. >Sure, Mozilla and this community should. |
| Re: Incidents involving the CA WoSign | Peter Gutmann | 06/10/16 20:22 | Kurt Roeckx <ku...@roeckx.be> writes: >This is why browsers have something like OneCRL, so that they actually do That still doesn't necessarily answer the question, Google have their CRLSets Peter. |
| Re: Incidents involving the CA WoSign | Kurt Roeckx | 06/10/16 23:25 | Mozilla now requires the disclosue of all intermedidate certificates,
including those cross-certificates. I understand that the CRL information for all of them should be provided too, and that Mozilla will import all those in OneCRL. So the problem would be the undisclosed certificates. In theory we would could go and make a whitelist of the disclosed ones. I'm not sure if Mozilla actually has any plans for that. We should at some point probably also start to add the known but undisclosed ones to OneCRL. Kurt |
| Re: Incidents involving the CA WoSign | Gervase Markham | 07/10/16 02:36 | On 07/10/16 04:21, Peter Gutmann wrote:That statistic assumes that all revocations are equal, which is clearly not true. A revoked cert for www.google.com is orders of magnitude more important to Chrome users than one for www.gerv.net. Gerv |
| Re: Incidents involving the CA WoSign | Michael Ströder | 10/10/16 00:16 | Which "Chrome users"?
Sure there are some users (at least me) for which my domains are "high-value domains" and much more important than the Google domains. Ciao, Michael. |
| Re: Incidents involving the CA WoSign | Gervase Markham | 10/10/16 03:04 | On 10/10/16 08:15, Michael Ströder wrote:
> Which "Chrome users"? All of them as a collective body. Standard revocation doesn't hold up in an active attack scenario. If someone has control of your customers' internet connection sufficient that they can direct a request that was meant to go to your site to their site instead (to use their bad cert, which is now revoked), they can also blackhole the OCSP request. https://wiki.mozilla.org/CA:RevocationPlan is Mozilla's plan to fix this. I'm sure Chrome has one too. But simply turning on hard-fail OCSP without other ecosystem changes is not a runner - too many things break. Gerv |
| Re: Incidents involving the CA WoSign | Peter Kurrasch | 11/10/16 07:45 | Don't sell your namesake domain short! Sure, the Google domains are subject to different types of attacks than most others but any domain with a cert has value. For example, I'd be happy to use gerv.net as a landing page for my spam campaign or as a phishing site or, even better, as a host for malware in my malvertising activities.
All I'm saying is that revocation is valuable for everyone in all sorts of ways. Original Message From: Gervase Markham Sent: Friday, October 7, 2016 4:37 AM To: Peter Gutmann; mozilla-dev-s...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On 07/10/16 04:21, Peter Gutmann wrote: |
