|
|
|
|
|
|
by lionradio
3560 days ago
|
|
|
I think Mozilla is falling for Symantecs / other CAs propaganda here. Yes, WoSign did bad things, but those are by far not the worst things we've seen in CA wrongdoings in the last years.
We've seen certs issued for MITM attacks and security holes in the validation process of nearly every CA. (http://www.theregister.co.uk/2012/02/14/trustwave_analysis/) < they confessed issuing a cert for MITM purpose and are still part of the game.
The allegations mainly consist of:
a) WoSign didn't make transparent that they have control over StartCom. Yes, this is a thing and it should be discussed. But the main focus of this is obviously to get StartCom into this story. Where - as I understood it - there is no allegation, that StartCom itself did something wrong. At least not in the league of "we should kill that company". Transparency is important and we should fight for it. Not only in China.
b) They backdated SHA-1 certs. Obviously because not updated Windows XP machines are a thing in China. This is against code of conduct. This is bad, but I totally get the intention here. And the intention is not MITM attacks or worse (as we see a lot in CA business) the intention is not to break Chinese internet. Bottom line:
"Let's encrypt" is destroying the business of many shady CAs these days. Competition is getting harder. StartCom had an advance in this race as they adopted quickly to the new rules and the've build the best product in the market for special use cases. We - for example - rely on a lot of wildcard certs for many domains. StartCom had the product. We pay'd them $200 for all our certs and the next cheapest competitor wanted $150.000 / year for our certs. I totally get why they are getting attacked by the big players. I totally don't get why Mozilla is falling for this. |
|
|
The biggest problem with the SHA-1 issuance is that they - as the report shows - blatantly lied about how this played out during the investigation and did not even attempt to go through the proper channels to get an exception from browser vendors (which other CAs did). Additionally, issuing a SHA-1 certificate to a payment processor that failed to upgrade their systems in time cannot be explained by China having a large number of XP <= SP2 users. That's just an excuse.
Regarding the TrustWave incident a few years back, it's important to understand that this happened when the rules for CAs were not quite as clear as they are now. I think this happened just around the time when the Baseline Requirements were written and were not yet in effect, and various browser policies were not as clear as they could've been about this use-case. Four years later, I have no doubts that a CA who'd give out the private key of a non-constrained CA certificate to a non-audited third-party would lose their trust status within a matter of days.
[1]: https://wiki.mozilla.org/CA:WoSign_Issues