RE: Yes, we are improved

236 views
Skip to first unread message

Richard Wang

unread,
Sep 1, 2016, 9:35:54 PM9/1/16
to mozilla-dev-s...@lists.mozilla.org
We can separate the 2015 incident from 2016, and separate report incident from un-reported, then all clear:



In 2015 reported:

Incident -2: 16 January 2015 - 5 March 2015 - 1,132 BR-violating SHA-1 certificates

Incident X: April 9 - April 14, 2015 - 392 duplicate serial numbers



In 2015 un-reported:

Incident -1: April 4, 2015 - WoSign is informed it's routinely violating its CPS for issued certificates.

Incident 0: April 23, 2015 - 72 potentially dangerous port-validated certificates

Incident 1: June, 2015 - 33 unvalidated base-domain from sub-domain certificates



In 2016 un-reported:

Incident 2: July, 2016 - At least 1 backdated SHA-1 certificate

We give Google detail information after receiving your email instantly, and we also replied Mozilla email instantly that all details are reported to Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1293366



I said " Yes, we are improved", you can see from the timeline that from June 2015 to July 2016, over one-year period that we don't have any incident, this means we fixed system bug in time and do more validation and check, we blocked many illegal order for famous domains.





Best Regards,



Richard



-----Original Message-----

From: Ryan Sleevi [mailto:ry...@sleevi.com]

Sent: Friday, September 2, 2016 12:01 AM

To: Richard Wang <ric...@wosign.com<mailto:ric...@wosign.com>>

Cc: mozilla-dev-s...@lists.mozilla.org<mailto:mozilla-dev-s...@lists.mozilla.org>

Subject: Re: Incidents involving the CA WoSign



On Wed, August 31, 2016 10:09 pm, Richard Wang wrote:

> Thanks for your so detail instruction.

> Yes, we are improved. The two case is happened in 2015 and the

> mis-issued certificate period is only 5 months that we fixed 3 big

> bugs during the 5 months.

> For CT, we will improve the posting system.



I had a little trouble parsing this, but let's make sure we're on the same page. I've continued Gerv's original numbering:



Incident -2: 16 January 2015 - 5 March 2015 - 1,132 BR-violating SHA-1 certificates ( https://cert.webtrust.org/SealFile?seal=2019&file=pdf )

Incident -1: April 4, 2015 - WoSign is informed it's routinely violating its CPS for issued certificates ( https://www.wosign.com/policy/wosign-policy-1-2-10.pdf )

Incident X: April 9 - April 14, 2015 - 392 duplicate serial numbers

Incident 0: April 23, 2015 - 72 potentially dangerous port-validated certificates

Incident 1: June, 2015 - 33 unvalidated base-domain from sub-domain certificates

Incident 2: July, 2016 - At least 1 backdated SHA-1 certificate (was this the only one? I wasn't clear from https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/gksYkOTLCwAJ

)



Just making sure we're in agreement about the facts and timelines surrounding these, so that it's easier than debating 2 or 3 or 5 or more.




Ryan Sleevi

unread,
Sep 1, 2016, 9:49:12 PM9/1/16
to mozilla-dev-s...@lists.mozilla.org
On Thursday, September 1, 2016 at 6:35:54 PM UTC-7, Richard Wang wrote:
> I said " Yes, we are improved", you can see from the timeline that from June 2015 to July 2016, over one-year period that we don't have any incident, this means we fixed system bug in time and do more validation and check, we blocked many illegal order for famous domains.

Mere minutes before you posted this message, you acknowledged in https://groups.google.com/d/msg/mozilla.dev.security.policy/Q3zjv95VhXI/p40n2Zv6DAAJ that this certificate was misissued: https://crt.sh/?id=29884704

If we trust your dates are correct with notBefore, then this was issued June 23, 2016. Clearly, this shows an issue, the fullness of which, I'll reply on that thread.

Richard Wang

unread,
Sep 1, 2016, 10:06:42 PM9/1/16
to Ryan Sleevi, mozilla-dev-s...@lists.mozilla.org
This is another case that he finished the website control validation.

We and Alibaba are investigating why he can do the website control validation.

The is the log, but we can't expose more now since it is related to Alibaba.

2016-06-23 01:34:39: WoSign validation system received domain "alicdn.com" website control request,the url is "http://alicdn.com/alicdn.com.html", v_random is 2e3baabe989fad9f143517796ed4941c13e7177b, Validation system used Get method, 400 error, then change to use POST method, success.


Best Regards,

Richard

-----Original Message-----
From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosig...@lists.mozilla.org] On Behalf Of Ryan Sleevi
Sent: Friday, September 2, 2016 9:49 AM
To: mozilla-dev-s...@lists.mozilla.org
Subject: Re: Yes, we are improved

On Thursday, September 1, 2016 at 6:35:54 PM UTC-7, Richard Wang wrote:
> I said " Yes, we are improved", you can see from the timeline that from June 2015 to July 2016, over one-year period that we don't have any incident, this means we fixed system bug in time and do more validation and check, we blocked many illegal order for famous domains.

Mere minutes before you posted this message, you acknowledged in https://groups.google.com/d/msg/mozilla.dev.security.policy/Q3zjv95VhXI/p40n2Zv6DAAJ that this certificate was misissued: https://crt.sh/?id=29884704

If we trust your dates are correct with notBefore, then this was issued June 23, 2016. Clearly, this shows an issue, the fullness of which, I'll reply on that thread.
_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Reply all
Reply to author
Forward
0 new messages