Quote:
One of the largest Chinese root certificate authority WoSign issued many fake certificates due to an vulnerability. WoSign's free certificate service allowed its users to get a certificate for the base domain if they were able to prove control of a subdomain. This means that if you can control a subdomain of a major website, say percy.github.io, you're able to obtain a certificate by WoSign for github.io, taking control over the entire domain.
In deed, this has been seen in the wild in multiple instances as reported in the thread, aggregated here. I've notified related parties about the possible fake certs.
Possible fake cert for Github https://crt.sh/?id=29647048 https://crt.sh/?id=29805567
Possible fake cert for Alibaba, the largest commercial site in China https://crt.sh/?id=29884704
Possible fake cert for Microsoft https://crt.sh/?id=29805555
What's more shocking is WoSign's behavior after the vulnerability was disclosed to them. WoSign never reported this misuse to root programs as required. WoSign's audit report didn't include such misuse either.
WoSign completely lacks the security knowledge needed for operating a CA. In the thread discussing potential sanction against WoSign, WoSign stated that For incident 1 - mis-issued certificate with un-validated subdomain, total 33 certificates. We have posted to CT log server and listed in crt.sh, here is the URL. Some certificates are revoked after getting report from subscriber, but some still valid, if any subscriber think it must be revoked and replaced new one, please contact us in the system, thanks. 14 months after the disclosure to WoSign about the vulnerability to obtain fake certificates, WoSign did nothing to address the mis-issued certificate. WoSign doesn't even seem to understand the security flaw disclosed. WoSign stated "Some certificates are revoked after getting report from subscriber, but some still valid, if any subscriber think it must be revoked and replaced new one, please contact us in the system, thanks"
Let's recall how the attack works. Say, I want to acquire a fake cert issued to Github.io. Github allows me to control the subdomain percy.github.io. I then go to WoSign to demonstrate my control of percy.github.io. WoSign then issue me cert for percy.github.io but also github.io, which allows me to attack the entire github.io domain.
WoSign should have revoked certs issued with this vulnerability immediately. Instead, 14 months after the disclosure, WoSign's responded that, me, an attacker, should contact WoSign about this mis-issued cert and ask WoSign to revoke it. And this statement was posted in a thread about potential sanctions against WoSign! How WoSign, the largest CA in China can be such lack of security knowledge is beyond comprehension.
I originally didn't advocate for a revocation of WoSign in the thread. The news about possible sanction against WoSign was reported by Solidot http://www.solidot.org/story?sid=49448 (the Chinese version of Slashdot). Out of 12 comments in total (at the time of writing), 8 of them call for revocation of WoSign, the rest talks about the general bad security practices in China. In most Chinese institutions, most checks and verifications are just formality. Contracting to the case of CNNIC CA, I'm not advocating for an outright removal of WoSign (even though I revoked the CA personally). But the incorrect notBefore date suggests that a mandatory inclusion of CT of all certs ever issued is needed. Of course, WoSign needs to address other issues raised by Matt and Ryan in addition to the CT requirement. In light of WoSign's utter ignorance on security knowledge of CA, I call for revocation of WoSign from all root programs and blacklist all intermediate cert operated by WoSign and corss-signed by StarCom immediately.
Source: http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html
Newsgroup: https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I
|
Browser Extension(s) (Calomel SSL Validation for FF, HTTPS Everywhere)
|
|
|
Hardened Browser TLS/SSL Settings
|
|
|
None (Stock browser safeguards)
|
| |
Votes accepted from (08/30/16 12:00 PM) to (09/06/16 08:59 AM) You must vote before you can view the results of this poll.Filter by response
--------------------
Always keep your foes confused. If they are never certain who you are or what you want, they cannot know what you are like to do next. Sometimes the best way to baffle them is to make moves that have no purpose, or even seem to work against you. – Petyr Baelish
|