|
|
|
|
|
|
by pfg
3560 days ago
|
|
|
There were a number of other issues that came up during this investigation that showed that they should not be running a CA[1]. For example, they issued certificates to anyone able to control a unprivileged port (> 1024) behind a domain. They issued certificates for "root domains" to anyone able to verify control of a subdomain. When StartCom launched their issuance API, it was taken down within a matter of days due to some pretty obvious holes. The biggest problem with the SHA-1 issuance is that they - as the report shows - blatantly lied about how this played out during the investigation and did not even attempt to go through the proper channels to get an exception from browser vendors (which other CAs did). Additionally, issuing a SHA-1 certificate to a payment processor that failed to upgrade their systems in time cannot be explained by China having a large number of XP <= SP2 users. That's just an excuse. Regarding the TrustWave incident a few years back, it's important to understand that this happened when the rules for CAs were not quite as clear as they are now. I think this happened just around the time when the Baseline Requirements were written and were not yet in effect, and various browser policies were not as clear as they could've been about this use-case. Four years later, I have no doubts that a CA who'd give out the private key of a non-constrained CA certificate to a non-audited third-party would lose their trust status within a matter of days. [1]: https://wiki.mozilla.org/CA:WoSign_Issues |
|
|
Its ok, its just a temp workaround... /s - https://tyro.com/blog/merchant-security-is-tyros-priority/
Tyro don't say when they got their SHA-1 cert from StartCom but say they needed this workaround because some of their customers still ran POS software on old operating systems such as Windows XPSP2 and that "internet security standards are moving faster than typical small merchants upgrade their systems."
> "We reached out in good faith to certificate authorities to provide a few months runway to resolve this big challenge in a way that had minimal impact on merchants."...
To me this would be ringing so many alarm bells, why would my current CA tell me they can not issue a SHA-1 cert but StartCom say they can? (I believe they got issued the SHA-1 cert after the cutoff because of the details in the document Mozilla have supplied and that we are no longer a few months into 2016 so their need for a "few months runway" was way off) Yes it would mean my customers POS systems would still function but I'm sure as hell would be asking questions about its issuance.
EDIT: Tyro have removed their StartCom SHA-1 cert from https://iclient.tyro.com/ and its now supplying a RapidSSL cert issued in May of this year but yesterday they were serving a StartCom SHA-1 cert on their iclient subdomain.