Chinese root CA issues rogue/fake certificates
http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html One of the largest Chinese root certificate authority WoSign issued many fake certificates due to an vulnerability. WoSign's free certificate service allowed its users to get a certificate for the base domain if they were able to prove control of a subdomain. This means that if you can control a subdomain of a major website, say percy.github.io, you're able to obtain a certificate by WoSign for github.io, taking control over the entire domain.
On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html
One of the largest Chinese root certificate authority WoSign issued many fake certificates due to an vulnerability. WoSign's free certificate service allowed its users to get a certificate for the base domain if they were able to prove control of a subdomain. This means that if you can control a subdomain of a major website, say percy.github.io, you're able to obtain a certificate by WoSign for github.io, taking control over the entire domain.
And there is now strong circumstantial evidence that WoSign now owns - or at least, directly controls - StartCom: https://www.letsphish.org/?part=about There are mixed signals of incompetence and deliberate action here. Royce
mozilla.dev.security thread: https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/k9PBmy... On Aug 30, 2016 10:12 PM, "Royce Williams" <royce@techsolvency.com> wrote:
On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html
One of the largest Chinese root certificate authority WoSign issued many fake certificates due to an vulnerability. WoSign's free certificate service allowed its users to get a certificate for the base domain if
they
were able to prove control of a subdomain. This means that if you can control a subdomain of a major website, say percy.github.io, you're able to obtain a certificate by WoSign for github.io, taking control over the entire domain.
And there is now strong circumstantial evidence that WoSign now owns - or at least, directly controls - StartCom:
https://www.letsphish.org/?part=about
There are mixed signals of incompetence and deliberate action here.
Royce
We've received several unsolicited certificate approval requests from wosign sign on high-value domain names we manage. Wosign has never responded to our requests for information about the requesters. There really isn't anything we can do other than ignore the requests, but clearly somebody is pushing buttons to try to take over these domains or operate MITM attacks. -mel beckman
On Aug 30, 2016, at 11:03 PM, Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
mozilla.dev.security thread:
https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/k9PBmy...
On Aug 30, 2016 10:12 PM, "Royce Williams" <royce@techsolvency.com> wrote:
On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html
One of the largest Chinese root certificate authority WoSign issued many fake certificates due to an vulnerability. WoSign's free certificate service allowed its users to get a certificate for the base domain if
they
were able to prove control of a subdomain. This means that if you can control a subdomain of a major website, say percy.github.io, you're able to obtain a certificate by WoSign for github.io, taking control over the entire domain.
And there is now strong circumstantial evidence that WoSign now owns - or at least, directly controls - StartCom:
https://www.letsphish.org/?part=about
There are mixed signals of incompetence and deliberate action here.
Royce
On Tue, Aug 30, 2016 at 9:11 PM, Royce Williams <royce@techsolvency.com> wrote:
On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html
One of the largest Chinese root certificate authority WoSign issued many fake certificates due to an vulnerability. WoSign's free certificate service allowed its users to get a certificate for the base domain if they were able to prove control of a subdomain. This means that if you can control a subdomain of a major website, say percy.github.io, you're able to obtain a certificate by WoSign for github.io, taking control over the entire domain.
And there is now strong circumstantial evidence that WoSign now owns - or at least, directly controls - StartCom:
https://www.letsphish.org/?part=about
There are mixed signals of incompetence and deliberate action here.
Hypothetically, it would be an interesting strategy for a CA to publicly demonstrate this level of competence: https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-certificate... ... while at the same time taking over another large install base like StartSSL's (an install base fueled by offering free certs). If one got caught doing something naughty, one could buy time by A) playing the incompetence card a few times, and B) having a large enough deployment that it becomes non-trivial for the browsers/OSes to revoke you outright. I'm oversimplifying, as I do not yet actually grok the WoSign <-> StartCom cert trust relationship - but the individual components are ... interesting. Also, this is a cautionary tale about certificate diversity. Because of relative issuer stability, orgs have had the luxury of depending wholly on a single cert supplier. The risk/continuity folks might want to model some "one of our major certificate issuers just got globally revoked" scenarios - if they haven't already. (Side note: compromises in the global trust ecosystem play a fascinating part in Vinge's 2007 Hugo-winning "Rainbows End" - a great read). Royce
On Wed, Aug 31, 2016 at 10:45:48AM -0800, Royce Williams wrote:
Hypothetically, it would be an interesting strategy for a CA to publicly demonstrate this level of competence:
https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-certificate...
... while at the same time taking over another large install base like StartSSL's (an install base fueled by offering free certs).
If one got caught doing something naughty, one could buy time by A) playing the incompetence card a few times, and B) having a large enough deployment that it becomes non-trivial for the browsers/OSes to revoke you outright.
Honest Achmed's business model wins again! I'm pretty sure that's how this is going to go down here, too, incidentally -- there's just waaaay too many sites using WoSign (and StartCom) for the CAs' roots to just be pulled. Sad, but true.
Also, this is a cautionary tale about certificate diversity.
Because of relative issuer stability, orgs have had the luxury of depending wholly on a single cert supplier. The risk/continuity folks might want to model some "one of our major certificate issuers just got globally revoked" scenarios - if they haven't already.
I'd be surprised if most business continuity people could even name their cert provider, and most probably don't even know how certs come to exist or that they *can* be made useless on a wide scale by the actions of, seemingly, an unrelated third party. It's a system nearly without precedent, when you think about it. In fact, my gut feel is that, if they really understood the system, most risk/continuity folks would scream "are you f**king kidding me? That's ridiculous!". Thanks, Netscape. Great ecosystem you built. - Matt -- Talk about unlucky. D'you know, if I fell in a barrel of tits I'd come out sucking me thumb. -- Seen on the 'net: http://thelawwestofealingbroadway.blogspot.com/2006/01/bang-to-rights.html
"Too big to fail" Where have we heard that before? If business risk/continuity people knew not only how much of a single point of failure a root CA is, but other basic stuff like "Maybe it shouldn't be possible to login to your domain registrar's control panel with the password known by Bob from Accounting, who wrote his pet's name down on a post-it note that he keeps in his desk drawer, and then point all the NS1/NS2/NS3 and glue records somewhere else..." On Wed, Aug 31, 2016 at 6:36 PM, Matt Palmer <mpalmer@hezmatt.org> wrote:
On Wed, Aug 31, 2016 at 10:45:48AM -0800, Royce Williams wrote:
Hypothetically, it would be an interesting strategy for a CA to publicly demonstrate this level of competence:
https://www.schrauger.com/the-story-of-how-wosign-gave-me- an-ssl-certificate-for-github-com
... while at the same time taking over another large install base like StartSSL's (an install base fueled by offering free certs).
If one got caught doing something naughty, one could buy time by A) playing the incompetence card a few times, and B) having a large enough deployment that it becomes non-trivial for the browsers/OSes to revoke you outright.
Honest Achmed's business model wins again!
I'm pretty sure that's how this is going to go down here, too, incidentally -- there's just waaaay too many sites using WoSign (and StartCom) for the CAs' roots to just be pulled. Sad, but true.
Also, this is a cautionary tale about certificate diversity.
Because of relative issuer stability, orgs have had the luxury of depending wholly on a single cert supplier. The risk/continuity folks might want to model some "one of our major certificate issuers just got globally revoked" scenarios - if they haven't already.
I'd be surprised if most business continuity people could even name their cert provider, and most probably don't even know how certs come to exist or that they *can* be made useless on a wide scale by the actions of, seemingly, an unrelated third party. It's a system nearly without precedent, when you think about it. In fact, my gut feel is that, if they really understood the system, most risk/continuity folks would scream "are you f**king kidding me? That's ridiculous!".
Thanks, Netscape. Great ecosystem you built.
- Matt
-- Talk about unlucky. D'you know, if I fell in a barrel of tits I'd come out sucking me thumb. -- Seen on the 'net: http://thelawwestofealingbroadway.blogspot.com/2006/01/bang-to- rights.html
On Aug 31, 2016, at 6:36 PM, Matt Palmer <mpalmer@hezmatt.org> wrote:
Thanks, Netscape. Great ecosystem you built.
Nobody at that time had a clue how this environment was going to scale, let alone what the wide-ranging security issues would be. And where were you back then, not saving us from our erroneous path ...
In message <A75AD418-262A-4F12-A7FA-3C8D3861D1DA@orthanc.ca>, Lyndon Nerenberg writes:
On Aug 31, 2016, at 6:36 PM, Matt Palmer <mpalmer@hezmatt.org> wrote:
Thanks, Netscape. Great ecosystem you built.
Nobody at that time had a clue how this environment was going to scale, let alone what the wide-ranging security issues would be.
And where were you back then, not saving us from our erroneous path ...
Well lots of people have been pointing out the risks for years. We are no where at "to big to fail" here. We also have TLSA which can be used to prevent spoofed CERTs being successful. If you have a CERT you should be publishing a TLSA records and have it DNSSEC signed. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Wed, Aug 31, 2016 at 06:49:17PM -0700, Lyndon Nerenberg wrote:
On Aug 31, 2016, at 6:36 PM, Matt Palmer <mpalmer@hezmatt.org> wrote:
Thanks, Netscape. Great ecosystem you built.
Nobody at that time had a clue how this environment was going to scale, let alone what the wide-ranging security issues would be.
Nor did they particularly trouble themselves to find out.
And where were you back then, not saving us from our erroneous path ...
You're going to go with that one, are you? Good for you. - Matt
On Aug 31, 2016, at 6:36 PM, Matt Palmer <mpalmer@hezmatt.org> wrote:
there's just waaaay too many sites using WoSign (and StartCom) for the CAs' roots to just be pulled. Sad, but true.
Not even. Pull away.
I'd be surprised if most business continuity people could even name their cert provider, and most probably don't even know how certs come to exist or that they *can* be made useless on a wide scale by the actions of, seemingly, an unrelated third party.
Not in my neck of the woods. If you have a drought of good ones in your area my consulting company calls that an opportunity... Sent from my iPhone
On Wed, Aug 31, 2016 at 09:33:18PM -0700, George William Herbert wrote:
On Aug 31, 2016, at 6:36 PM, Matt Palmer <mpalmer@hezmatt.org> wrote: there's just waaaay too many sites using WoSign (and StartCom) for the CAs' roots to just be pulled. Sad, but true.
Not even. Pull away.
Not going to happen. Feel free to argue otherwise in the appropriate venues, but you're tilting at windmills, IMO.
I'd be surprised if most business continuity people could even name their cert provider, and most probably don't even know how certs come to exist or that they *can* be made useless on a wide scale by the actions of, seemingly, an unrelated third party.
Not in my neck of the woods. If you have a drought of good ones in your area my consulting company calls that an opportunity...
How the hell do you get from "the world does not work that way" to "please pitch me your consulting services"? - Matt
On Sep 1, 2016, at 3:10 AM, Matt Palmer <mpalmer@hezmatt.org> wrote:
How the hell do you get from "the world does not work that way" to "please pitch me your consulting services"?
You appear ignorant of what real DR / resiliency can do, as do your local providers if they said that. I didn't name the company I work for because I'm not advertising, but trying to educate. I'm sorry if the kind of flip answer that it's being done rubbed you the wrong way. Sent from my iPhone
On Thu, Sep 01, 2016 at 11:36:57AM +1000, Matt Palmer <mpalmer@hezmatt.org> wrote a message of 45 lines which said:
I'd be surprised if most business continuity people could even name their cert provider,
And they're right because it would be a useless information: without DANE, *any* CA can issue a certificate for *your* domain, whether you are a client or not.
Further update on all known suspicious activity from Wosign: https://wiki.mozilla.org/CA:WoSign_Issues Seriously, what level of malice and/or incompetence does one have to rise to in order to be removed from the Mozilla (and hopefully Microsoft and Chrome) trusted root CA store? Is this not sufficient? On Thu, Sep 1, 2016 at 3:19 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Thu, Sep 01, 2016 at 11:36:57AM +1000, Matt Palmer <mpalmer@hezmatt.org> wrote a message of 45 lines which said:
I'd be surprised if most business continuity people could even name their cert provider,
And they're right because it would be a useless information: without DANE, *any* CA can issue a certificate for *your* domain, whether you are a client or not.
On Wed, Sep 07, 2016 at 04:15:47PM -0700, Eric Kuhnke wrote:
Further update on all known suspicious activity from Wosign:
https://wiki.mozilla.org/CA:WoSign_Issues
Seriously, what level of malice and/or incompetence does one have to rise to in order to be removed from the Mozilla (and hopefully Microsoft and Chrome) trusted root CA store? Is this not sufficient?
At this point, it's pretty clear that WoSign as an operational CA is going to be no more, at least as far as Mozilla is concerned. The number of issues is immense, and nobody on m.d.s.p is arguing in favour of keeping the root (except WoSign). The other major trust stores are completely opaque as to their process, but a root pulled from Mozilla is practically dead in the water. The problem is that just pulling the root is extremely damaging -- to Mozilla, and to the ecosystem. If a root gets pulled, all the sites that are currently using a WoSign-issued cert "stop working". Since plenty of people use WoSign certs (in China, as well as their "free" issuance offering), a lot of sites go dead all at once. Since users cannot stand to not have their dancing kitten gifs, they'll barge through any barrier you put in place, whether that be clicking past warnings or switching to another browser. Mozilla doesn't want to lose (more) market share, and training people to click past security warnings is a really, really dumb move. There are a number of things that could be done to reduce the mess of a pulled root, but many of them involve the cooperation of the CA being pulled, and it's highly unlikely that they'd be in a cooperative mood. The relevant discussion at the moment is around how best to cause WoSign to no longer be trusted, *without* causing collateral damage (or at least minimising it). Certificate Transparency can help, maybe, but CT isn't a live query mechanism, and shipping a giant whitelist of all valid WoSign certs is... large. Honest Achmed had the right idea. - Matt Nit-pickers' corner: Chrome uses the OS trust store; Google doesn't run its own trust store for Chrome, although it does maintain *something* for Android. Chrome has a cert blacklist, and its own EV treatment criteria, but no trust store as such.
On Sep 1, 2016, at 3:19 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Thu, Sep 01, 2016 at 11:36:57AM +1000, Matt Palmer <mpalmer@hezmatt.org> wrote a message of 45 lines which said:
I'd be surprised if most business continuity people could even name their cert provider,
And they're right because it would be a useless information: without DANE, *any* CA can issue a certificate for *your* domain, whether you are a client or not.
It's relevant for a different reason; CA health needs to be monitored, and multiple CAs can (should) be used in case CA A's recognition gets pulled or a catastrophe happens. Having certs from CA B then gets you going either immediately (if you actively use both) or rapidly (if you need to replace certs on web / services front end). Getting new ones from CA B in a hurry can be a major deal. Sent from my iPhone
participants (8)
-
Eric Kuhnke
-
George William Herbert
-
Lyndon Nerenberg
-
Mark Andrews
-
Matt Palmer
-
Mel Beckman
-
Royce Williams
-
Stephane Bortzmeyer