On Wed, Sep 07, 2016 at 04:15:47PM -0700, Eric Kuhnke wrote:
Further update on all known suspicious activity from Wosign:
https://wiki.mozilla.org/CA:WoSign_Issues
Seriously, what level of malice and/or incompetence does one have to rise to in order to be removed from the Mozilla (and hopefully Microsoft and Chrome) trusted root CA store? Is this not sufficient?
At this point, it's pretty clear that WoSign as an operational CA is going to be no more, at least as far as Mozilla is concerned. The number of issues is immense, and nobody on m.d.s.p is arguing in favour of keeping the root (except WoSign). The other major trust stores are completely opaque as to their process, but a root pulled from Mozilla is practically dead in the water. The problem is that just pulling the root is extremely damaging -- to Mozilla, and to the ecosystem. If a root gets pulled, all the sites that are currently using a WoSign-issued cert "stop working". Since plenty of people use WoSign certs (in China, as well as their "free" issuance offering), a lot of sites go dead all at once. Since users cannot stand to not have their dancing kitten gifs, they'll barge through any barrier you put in place, whether that be clicking past warnings or switching to another browser. Mozilla doesn't want to lose (more) market share, and training people to click past security warnings is a really, really dumb move. There are a number of things that could be done to reduce the mess of a pulled root, but many of them involve the cooperation of the CA being pulled, and it's highly unlikely that they'd be in a cooperative mood. The relevant discussion at the moment is around how best to cause WoSign to no longer be trusted, *without* causing collateral damage (or at least minimising it). Certificate Transparency can help, maybe, but CT isn't a live query mechanism, and shipping a giant whitelist of all valid WoSign certs is... large. Honest Achmed had the right idea. - Matt Nit-pickers' corner: Chrome uses the OS trust store; Google doesn't run its own trust store for Chrome, although it does maintain *something* for Android. Chrome has a cert blacklist, and its own EV treatment criteria, but no trust store as such.