One of the largest Chinese root certificate authority WoSign issued many
fake certificates due to an vulnerability. WoSign's free certificate
service allowed its users to get a certificate for the base domain if they
were able to prove control of a subdomain. This means that if you can
control a subdomain of a major website, say percy.github.io, you're able to
obtain a certificate by WoSign for github.io, taking control over the
entire domain.
We've received several unsolicited certificate approval requests from wosign sign on high-value domain names we manage. Wosign has never responded to our requests for information about the requesters. There really isn't anything we can do other than ignore the requests, but clearly somebody is pushing buttons to try to take over these domains or operate MITM attacks.
... while at the same time taking over another large install base like
StartSSL's (an install base fueled by offering free certs).
If one got caught doing something naughty, one could buy time by A)
playing the incompetence card a few times, and B) having a large
enough deployment that it becomes non-trivial for the browsers/OSes to
revoke you outright.
I'm oversimplifying, as I do not yet actually grok the WoSign <->
StartCom cert trust relationship - but the individual components are
... interesting.
Also, this is a cautionary tale about certificate diversity.
Because of relative issuer stability, orgs have had the luxury of
depending wholly on a single cert supplier. The risk/continuity folks
might want to model some "one of our major certificate issuers just
got globally revoked" scenarios - if they haven't already.
(Side note: compromises in the global trust ecosystem play a
fascinating part in Vinge's 2007 Hugo-winning "Rainbows End" - a great
read).
... while at the same time taking over another large install base like
StartSSL's (an install base fueled by offering free certs).
If one got caught doing something naughty, one could buy time by A)
playing the incompetence card a few times, and B) having a large
enough deployment that it becomes non-trivial for the browsers/OSes to
revoke you outright.
Honest Achmed's business model wins again!
I'm pretty sure that's how this is going to go down here, too, incidentally
-- there's just waaaay too many sites using WoSign (and StartCom) for the
CAs' roots to just be pulled. Sad, but true.
Also, this is a cautionary tale about certificate diversity.
Because of relative issuer stability, orgs have had the luxury of
depending wholly on a single cert supplier. The risk/continuity folks
might want to model some "one of our major certificate issuers just
got globally revoked" scenarios - if they haven't already.
I'd be surprised if most business continuity people could even name their
cert provider, and most probably don't even know how certs come to exist or
that they *can* be made useless on a wide scale by the actions of,
seemingly, an unrelated third party. It's a system nearly without
precedent, when you think about it. In fact, my gut feel is that, if they
really understood the system, most risk/continuity folks would scream "are
you f**king kidding me? That's ridiculous!".
If business risk/continuity people knew not only how much of a single point
of failure a root CA is, but other basic stuff like "Maybe it shouldn't be
possible to login to your domain registrar's control panel with the
password known by Bob from Accounting, who wrote his pet's name down on a
post-it note that he keeps in his desk drawer, and then point all the
NS1/NS2/NS3 and glue records somewhere else..."
Well lots of people have been pointing out the risks for years.
We are no where at "to big to fail" here.
We also have TLSA which can be used to prevent spoofed CERTs being
successful. If you have a CERT you should be publishing a TLSA
records and have it DNSSEC signed.
there's just waaaay too many sites using WoSign (and StartCom) for the
CAs' roots to just be pulled. Sad, but true.
Not even. Pull away.
I'd be surprised if most business continuity people could even name their
cert provider, and most probably don't even know how certs come to exist or
that they *can* be made useless on a wide scale by the actions of,
seemingly, an unrelated third party.
Not in my neck of the woods. If you have a drought of good ones in your area my consulting company calls that an opportunity...
> there's just waaaay too many sites using WoSign (and StartCom) for the
> CAs' roots to just be pulled. Sad, but true.
Not even. Pull away.
Not going to happen. Feel free to argue otherwise in the appropriate
venues, but you're tilting at windmills, IMO.
> I'd be surprised if most business continuity people could even name their
> cert provider, and most probably don't even know how certs come to exist or
> that they *can* be made useless on a wide scale by the actions of,
> seemingly, an unrelated third party.
Not in my neck of the woods. If you have a drought of good ones in your
area my consulting company calls that an opportunity...
How the hell do you get from "the world does not work that way" to "please
pitch me your consulting services"?
I'd be surprised if most business continuity people could even name
their cert provider,
And they're right because it would be a useless information: without
DANE, *any* CA can issue a certificate for *your* domain, whether you
are a client or not.
Seriously, what level of malice and/or incompetence does one have to rise
to in order to be removed from the Mozilla (and hopefully Microsoft and
Chrome) trusted root CA store? Is this not sufficient?
It's relevant for a different reason; CA health needs to be monitored, and multiple CAs can (should) be used in case CA A's recognition gets pulled or a catastrophe happens. Having certs from CA B then gets you going either immediately (if you actively use both) or rapidly (if you need to replace certs on web / services front end). Getting new ones from CA B in a hurry can be a major deal.
You appear ignorant of what real DR / resiliency can do, as do your local providers if they said that.
I didn't name the company I work for because I'm not advertising, but trying to educate. I'm sorry if the kind of flip answer that it's being done rubbed you the wrong way.
At this point, it's pretty clear that WoSign as an operational CA is going
to be no more, at least as far as Mozilla is concerned. The number of
issues is immense, and nobody on m.d.s.p is arguing in favour of keeping the
root (except WoSign). The other major trust stores are completely opaque as
to their process, but a root pulled from Mozilla is practically dead in the
water.
The problem is that just pulling the root is extremely damaging -- to
Mozilla, and to the ecosystem. If a root gets pulled, all the sites that
are currently using a WoSign-issued cert "stop working". Since plenty of
people use WoSign certs (in China, as well as their "free" issuance
offering), a lot of sites go dead all at once. Since users cannot stand to
not have their dancing kitten gifs, they'll barge through any barrier you
put in place, whether that be clicking past warnings or switching to another
browser. Mozilla doesn't want to lose (more) market share, and training
people to click past security warnings is a really, really dumb move.
There are a number of things that could be done to reduce the mess of a
pulled root, but many of them involve the cooperation of the CA being
pulled, and it's highly unlikely that they'd be in a cooperative mood.
The relevant discussion at the moment is around how best to cause
WoSign to no longer be trusted, *without* causing collateral damage (or at
least minimising it). Certificate Transparency can help, maybe, but
CT isn't a live query mechanism, and shipping a giant whitelist of all valid
WoSign certs is... large.
Honest Achmed had the right idea.
- Matt
Nit-pickers' corner: Chrome uses the OS trust store; Google doesn't run its
own trust store for Chrome, although it does maintain *something* for
Android. Chrome has a cert blacklist, and its own EV treatment criteria,
but no trust store as such.