Home | Community | Message Board


This site includes paid links. Please support our sponsors.


Welcome to the Shroomery Message Board! You are experiencing a small sample of what the site has to offer. Please login or register to post messages and view our exclusive members-only content. You'll gain access to additional forums, file attachments, board customizations, encrypted private messages, and much more!

PhytoExtractum Shop: Maeng Da Thai Kratom Leaf Powder

Jump to first unread post Pages: 1
Invisibleh0ldthedoor
HODOR
I'm a teapot User Gallery


Registered: 06/25/16
Posts: 510
Loc: North of The Wall
Chinese CA WoSign faces revocation after issuing fake certificates of Github, Microsoft and Alibaba
    #23593421 - 08/30/16 12:00 PM (7 years, 4 months ago)

Quote:

One of the largest Chinese root certificate authority WoSign issued many fake certificates due to an vulnerability.  WoSign's free certificate service allowed its users to get a certificate for the base domain if they were able to prove control of a subdomain. This means that if you can control a subdomain of a major website, say percy.github.io, you're able to obtain a certificate by WoSign for github.io, taking control over the entire domain.

In deed, this has been seen in the wild in multiple instances as reported in the thread, aggregated here. I've notified related parties about the possible fake certs.

Possible fake cert for Github
https://crt.sh/?id=29647048
https://crt.sh/?id=29805567


Possible fake cert for Alibaba, the largest commercial site in China
https://crt.sh/?id=29884704

Possible fake cert for Microsoft
https://crt.sh/?id=29805555

What's more shocking is WoSign's behavior after the vulnerability was disclosed to them.
WoSign never reported this misuse to root programs as required. WoSign's audit report didn't include such misuse either.

WoSign completely lacks the security knowledge needed for operating a CA. In the thread discussing potential sanction against WoSign,  WoSign stated that
For incident 1 - mis-issued certificate with un-validated subdomain, total 33 certificates. We have posted to CT log server and listed in crt.sh, here is the URL. Some certificates are revoked after getting report from subscriber, but some still valid, if any subscriber think it must be revoked and replaced new one, please contact us in the system, thanks. 
14 months after the disclosure to WoSign about the vulnerability to obtain fake certificates, WoSign did nothing to address the mis-issued certificate.
WoSign doesn't even seem to understand the security flaw disclosed. WoSign stated "Some certificates are revoked after getting report from subscriber, but some still valid, if any subscriber think it must be revoked and replaced new one, please contact us in the system, thanks"

Let's recall how the attack works. Say, I want to acquire a fake cert issued to Github.io. Github allows me to control the subdomain percy.github.io. I then go to WoSign to demonstrate my control of percy.github.io. WoSign then issue me cert for percy.github.io but also github.io, which allows me to attack the entire github.io domain.

WoSign should have revoked certs issued with this vulnerability immediately.  Instead, 14 months after the disclosure, WoSign's responded that, me, an attacker, should contact WoSign about this mis-issued cert and ask WoSign to revoke it. And this statement was posted in a thread about potential sanctions against WoSign! How WoSign, the largest CA in China can be such lack of security knowledge is beyond comprehension.

I originally didn't advocate for a revocation of WoSign in the thread.
The news about possible sanction against WoSign was reported by Solidot http://www.solidot.org/story?sid=49448 (the Chinese version of Slashdot). Out of 12 comments in total (at the time of writing), 8 of them call for revocation of WoSign, the rest talks about the general bad security practices in China. In most Chinese institutions, most checks and verifications are just formality. Contracting to the case of CNNIC CA, I'm not advocating for an outright removal of WoSign (even though I revoked the CA personally). But the incorrect notBefore date suggests that a mandatory inclusion of CT of all certs ever issued is needed. Of course, WoSign needs to address other issues raised by Matt and Ryan in addition to the CT requirement.
In light of WoSign's utter ignorance on security knowledge of CA, I call for revocation of WoSign from all root programs and blacklist all intermediate cert operated by WoSign and corss-signed by StarCom immediately.




Source: http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html

Newsgroup: https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I
Do you take any steps to verify HTTPS implementation?
Users may choose only one (2 total votes)
Yes
-
2 100%
No
-
0 0%
What step(s) do you take to verify HTTPS implementation?
Users may choose 2 (3 total votes)
Browser Extension(s) (Calomel SSL Validation for FF, HTTPS Everywhere)
-
2 67%
Hardened Browser TLS/SSL Settings
-
1 33%
None (Stock browser safeguards)
-
0 0%
Votes accepted from (08/30/16 12:00 PM) to (09/06/16 08:59 AM)
You must vote before you can view the results of this poll.
Filter by response


--------------------
Always keep your foes confused. If they are never certain who you are or what you want, they cannot know what you are like to do next. Sometimes the best way to baffle them is to make moves that have no purpose, or even seem to work against you.

– Petyr Baelish


Extras: Filter Print Post Top
Jump to top Pages: 1

PhytoExtractum Shop: Maeng Da Thai Kratom Leaf Powder


Similar ThreadsPosterViewsRepliesLast post
* Help, arrested and facing 3 felonies
( 1 2 all )
Fool 4,264 22 04/26/04 01:14 PM
by Tremor1127
* Getting spores in CA noresolution 3,428 14 05/21/13 02:17 PM
by bakedpotato
* penalty for recieving spores in CA? TODAY 8,279 9 10/12/03 10:09 PM
by Cow Shit Collector
* CA driver license encoding/ convenience stores steelreserver211 321 0 12/02/04 02:01 AM
by steelreserver211
* "Woman to face prison for sale of psilocybin mushrooms" Junkaboy 678 0 04/12/05 01:51 PM
by
* So how many people excerciset their rights to refuse searches?
( 1 2 3 all )
johnm214 5,196 52 07/13/08 03:04 PM
by Snoopapotamus
* How do you conceal your grow?
( 1 2 all )
tugwax 1,267 39 12/26/09 12:58 PM
by fundamentalchair
* Major DEA bust of multiple research chem suppliers *DELETED* laughingdog 3,253 19 09/12/05 08:28 PM
by AlienZulu

Extra information
You cannot start new topics / You cannot reply to topics
HTML is disabled / BBCode is enabled
Moderator: Enlil, Alan Rockefeller
3 topic views. 0 members, 0 guests and 20 web crawlers are browsing this forum.
[ Show Images Only | Sort by Score | Print Topic ]
Search this thread:

Copyright 1997-2024 Mind Media. Some rights reserved.

Generated in 0.05 seconds spending 0.033 seconds on 26 queries.