[vtlynch]

Couple notes for people less familiar with the Internet PKI/CA industry:

1. WoSign (who also owns StartCom) violated all sorts of industry standards. The worst of them was circumventing the SHA-1 deprecation by backdating an SSL certificate.

2. Now all the root programs (Mozilla, Apple, Microsoft, and Google) need to decide how they will react to this.

3. Mozilla proposed dis-trusting all new WoSign/StartCom certificates and giving them a chance to re-apply as a trusted CA in a year. This is only their proposed action, and they have not totally committed to it.

4. Apple has now said they will take similar action to Mozilla. Apple will block a specific intermediate certificate: "WoSign CA Free SSL Certificate G2"

But they will continue to "trust individual existing certificates" if they had been published to Certificate Transparency logs by September 19th.

While I have not personally confirmed this, my understanding is that there are other Wosign certificates that are trusted on Apple via cross-signing. So this seems like an incomplete solution - in the sense that some WoSign certificates (mainly the commercial certificates they sell, vs the ones they give away for free) will remain unaffected in anyway.

(Someone more familiar with the specifics of the Apple root store may be able to provide more clarity here)

5. Google and Microsoft have not yet committed to any action yet. Google will certainly make a detailed public announcement when they are ready.

6. Mozilla is meeting with QiHoo (a chinese tech company which owns a majority stake in WoSign). It is expected that Mozilla will make a final decision following this meeting.

[JohnTHaller]

For those who may not remember or may not have heard, QiHoo is the company behind the most popular scam browsers in the world: Qihoo 360 Secure. It was one of the most popular browsers in China with 28% of the market a few years ago. It used an IE logo colored green, force-uninstalled competing browsers by claiming they were unsafe, made uninstallation so difficult you'd often have to re-image the machine, breaks SSL, can expose user passwords, etc.

Remember, this is a "security" company.

It's rather fascinating: https://webdesign.tutsplus.com/articles/qihoo-360-secure-the...

Personally, I wouldn't trust anything this "security" company is connected with anywhere need my devices, software, or business.

[jedberg]

And yet, unless you go through the effort of removing every trusted CA from your browser, you implicitly trust them because Mozilla/Google/etc. do.

And thus why the CA system is broken in a nutshell.

[mixedCase]

>And thus why the CA system is broken in a nutshell.

I wouldn't call it broken. From what I see on Linux and Windows, Chrom[e|ium] relies on the system's trusted certificates. You always have the last says on who's in and who's out.

EDIT: Just checked, the Chromium-specific trusted CAs can be revoked through its configuration interface, doesn't just rely on system certs. Important detail, but still, user has the last word.

[arkydon]

Also accused of gaming antivirus tests http://www.pcworld.com/article/2919554/tencent-qihoo-antimal...

[nsgi]

Also the sixth browser vendor in the CAB forum.

[JoshTriplett]

> But they will continue to "trust individual existing certificates" if they had been published to Certificate Transparency logs by September 19th.

This seems even more sensible than Mozilla's existing proposal to trust the certificate notBefore date until proof of further backdated certificates.

[hannob]

>> But they will continue to "trust individual existing certificates" if they had been published to Certificate Transparency logs by September 19th. > This seems even more sensible than Mozilla's existing proposal to trust the certificate notBefore date until proof of further backdated certificates.

The question is how they'll actually do that. This was discussed in the moz-sec-policy-thread and people came to the rough conclusion that there are just too many wosign/startcom certificates to whitelist them in any reasonable way.

[nixgeek]

In the context of macOS, shipping out even a 75MB bundle of trusted certificates is "not significant".

Bundling it into the browser would increase the download size by a substantial percentage, but 75MB as a 'security update' distributed through the App Store is comparatively tiny versus the 1GB+ which is typical for 10.11 to 10.11.1 style updates.

[Tinyyy]

I’m just curious, what standards did they violate other than circumventing SHA-1 deprecation?

[pfg]

A number of issues can be found here[1]. Among other things, they allowed domain validation on unprivileged ports and issued certificates for "parent" domains when subscribers were able to validate control of a subdomain (i.e. you could get a certificate for github.com by controlling user.github.com).

[1]: https://wiki.mozilla.org/CA:WoSign_Issues

[justinclift]

Ugh. September 19th is poor date to choose.

When this came up, the first thing I did was generate wildcard certs for our StartCom domains, as Mozilla is going to stop trusting things at some point.

But that was on ~26th September.

Choosing the 19th is giving existing customers of StartCom no chance to manage the problem in a sensible way. :(

[cptskippy]

    When this came up, the first thing I did was generate wildcard certs for our StartCom domains

A vendor you used comes under scrutiny so your response is to double down on them? Did you have prepaid credits or something? It seems like that would have been a opportune time to migrate away from them since you'd have to redeploy certs anyways.

[justinclift]

With StartCom, once you've gone through the personal verification procedure you don't need to pay more money for new certs, nor wildcard ones.

So, no "doubling down" involved. Just a desire to have actually working certs before Mozilla's "to be announced" cut off date happens.

And then Apple comes along and (unless I'm misunderstanding) all of our certs will be useless. :(

[NetStrikeForce]

You should get a refund from your cert provider.

[stephenr]

> So, no "doubling down" involved

Continuing to use a CA that has a recognised history of fucking abysmal security and wilfully deceptive actions, whether you're paying money or not, is still "doubling down" IMO.

If you're getting a wildcard cert, you aren't getting EV, so why not just make the switch to LetsEncrypt?

[rblatz]

That seems like an odd move, doubling down on the CA after news of them doing shady stuff? Why not take that opportunity to switch to something else like let's encrypt?

[justinclift]

Really not sure why you'd think this is "doubling down"?

We've already gone through the StartCom verification process, but had only generated a few specific cert's for subdomains.

However, we're right now in the process of launching a new online project. No idea what subdomains will be needed in very near future.

It costs us no extra to generate wildcard ones, which obviously is the right move to do as they'll be valid while StartCom's new ones are no longer trusted (when Mozilla stops accepting new certs).

There's literally no way we could afford to pay for new certs from an alternative registrar instead.

[tho9Ohx1eo]

> There's literally no way we could afford to pay for new certs from an alternative registrar instead.

If ~$100 is that much for you (as a company of some sort) why don't you use Letsencrypt?

[justinclift]

Good point, that might be the better solution for the public HTTPS part of things.

Lets Encrypt doesn't provide MS Authenticode signing certs (eg to validate our downloads are legit) though. Hopefully this whole mess doesn't scope creep to include those too.

[marcosdumay]

You bet it will. If MS does not revoke them, it will reflect very badly on the security of their program.

[pfg]

This announcement only pertains to the "WoSign CA Free SSL Certificate G2" intermediate CA and does not affect any StartCom-issued certificates.

They might announce similar steps for StartCom in the future, but nothing as of yet.

[justinclift]

Thanks. Glad I misunderstood it. :)

Hopefully if it expands to include StartCom certs, they use a later date.