On Tue, Aug 30, 2016 at 9:11 PM, Royce Williams <royce@techsolvency.com> wrote:
On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html
One of the largest Chinese root certificate authority WoSign issued many fake certificates due to an vulnerability. WoSign's free certificate service allowed its users to get a certificate for the base domain if they were able to prove control of a subdomain. This means that if you can control a subdomain of a major website, say percy.github.io, you're able to obtain a certificate by WoSign for github.io, taking control over the entire domain.
And there is now strong circumstantial evidence that WoSign now owns - or at least, directly controls - StartCom:
https://www.letsphish.org/?part=about
There are mixed signals of incompetence and deliberate action here.
Hypothetically, it would be an interesting strategy for a CA to publicly demonstrate this level of competence: https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-certificate... ... while at the same time taking over another large install base like StartSSL's (an install base fueled by offering free certs). If one got caught doing something naughty, one could buy time by A) playing the incompetence card a few times, and B) having a large enough deployment that it becomes non-trivial for the browsers/OSes to revoke you outright. I'm oversimplifying, as I do not yet actually grok the WoSign <-> StartCom cert trust relationship - but the individual components are ... interesting. Also, this is a cautionary tale about certificate diversity. Because of relative issuer stability, orgs have had the luxury of depending wholly on a single cert supplier. The risk/continuity folks might want to model some "one of our major certificate issuers just got globally revoked" scenarios - if they haven't already. (Side note: compromises in the global trust ecosystem play a fascinating part in Vinge's 2007 Hugo-winning "Rainbows End" - a great read). Royce