Chinese Certificate Authority ‘mistakenly’ gave out SSL Certs for GitHub Domains

http://thehackernews.com/2016/08/github-ssl-certificate.html?m=1

Internet security is really broken when you can’t trust the integrity of CAs.

5 Comments

  1. Tomi Engdahl says:

    Stephen Schrauger / Schrauger.com:
    How WoSign, a Chinese CA, issued a valid SSL cert for GitHub’s primary domain to a subdomain user, and didn’t revoke it even after vulnerability was reported

    The story of how WoSign gave me an SSL certificate for GitHub.com
    https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-certificate-for-github-com

    Https is supposed to prevent eavesdropping, yet with these keys, I could become a man-in-the-middle with ease.

    Certificate Authority (CA)

    Anyone can generate a certificate for any domain. The catch is that your browser will not see these self-signed certificates as valid. It only trusts a few select operators, called certificate authorities.

    StartSSL gives free certificates, but each cert only works for one domain.

    In order to acquire a certificate for any domain, the trusted CAs require that you prove ownership in one of several ways. One of WoSign’s methods (also used by many other CAs) is to give you a text file filled with unique data. You must put the file in a specific location on your website

    Also note that by proving control of a primary domain, you are assumed to control any subdomains.
    Most CAs will assume this, and it is a reasonable assumption

    They had a bug in their validation process that assumed I controlled the base domain, despite only proving access to a specific subdomain.

    WoSign signed my certificate, and lo and behold, I had a certificate that was valid for github.com, github.io, http://www.github.io, schrauger.github.com, and schrauger.github.io.
    I set up a test website on my local machine that responded to GitHub’s domains. I loaded the site, saw that the location was https://github.com, and the browser said my connection was encrypted by a valid certificate signed by WoSign.

    I was concerned they would keep it quiet. After all, just four years prior, the certificate authority DigiNotar went bankrupt after it was shown they mis-issued a bunch of certificates. The major browsers (Chrome, Firefox, Internet Explorer) had revoked DigiNotar as a trusted CA

    I posted a question asking how to proceed. I kept the details generic

    I contacted Dan Kaminsky, a well-known person in the field of web encryption and security.
    he was able to contact WoSign on my behalf.

    WoSign fixed the domain validation vulnerability, and they revoked my GitHub certificate.

    But Chrome didn’t seem to be checking the revocation servers. So my certificate was still valid for any Chrome users!

    WoSign didn’t do any retroactive searches for other certificates to revoke.

    I contacted GitHub through their bug program. I showed them how anyone could use Chrome and load my GitHub test site without seeing any certificate errors.
    they contacted the security teams for Google Chrome, who then went on to contact the teams of Firefox, Internet Explorer, and Safari.

    WoSign had never reported the mis-issued GitHub certificate, nor the vulnerability they had patched that I discovered. All certificate authorities go through yearly audits, and they are required to report any major issues found.

    WoSign joined the conversation, saying they didn’t realize the vulnerabilities had to be reported.

    WoSign apparently doesn’t understand that all certificates generated by the exploit should be revoked no matter what.

    There are major problems with the current system of certificate revocation.
    If the revocation check fails to respond, most browsers will default to accepting the certificate.

    That means that any revoked certificate can still be used to launch a man-in-the-middle attack. The current system of checking for revoked certificates doesn’t work very well under actual attacks.

    Google decided to forgo checking for certificate revocation status. Instead, it takes a select subset of all revoked certificates and includes it with their browser updates.

    Unfortunately, including every revoked certificate is neither practical nor possible.

    WoSign is now joining the list of CAs who publish a full transparency report, partly due to this vulnerability coming to light.

    Conclusion

    Domain validation is hard. It isn’t as simple as one may think, and WoSign isn’t the first to have a problem. They are still a trusted CA for now, and hopefully they will get their act together quickly.

    Having competition is good; only just recently did Lets Encrypt join as a free SSL provider alongside StartSSL and WoSign. If WoSign doesn’t stay, we’ll be back to two providers.

    Reply
  2. Tomi Engdahl says:

    Mozilla Wants to Drop WoSign as Trusted CA
    https://threatpost.com/mozilla-wants-to-drop-wosign-as-trusted-ca/120912/

    Mozilla has accused a Chinese Certificate Authority of back-dating SHA-1 certificates to get around restrictions barring deprecated certs from being trusted, and is ready to ban the CA for one year. The back-dating is just one of many violations derived after a lengthy investigation of WoSign and one of its subsidiaries, StartCom. In addition to consistently back-dating SHA-1 certs, WoSign is accused of mis-issuing certificates for GitHub to a customer, allowing arbitrary domain names to be included in certs without validating them, failing to report its acquisition of StartCom as CAs are required to do. A report published Monday by Mozilla lists numerous other infractions that go against requirements put forth by the CA/Browser Forum’s published baseline requirements.

    “Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA,” Mozilla said in its report. “Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands.”

    See more at: Mozilla Wants to Drop WoSign as Trusted CA https://wp.me/p3AjUX-vsc

    Reply
  3. Tomi Engdahl says:

    Apple chops woeful WoSign HTTPS certs from iOS, macOS
    Intermediate certs from StartCom, Comodo get the ban-hammer
    http://www.theregister.co.uk/2016/10/03/apple_wosign_certificates/

    While Mozilla’s democracy decides what to do about WoSign, Apple’s dictatorship has issued its edict: the Chinese certificate authority WoSign will be thrown out of Cupertino’s trust list.

    As we reported last week, after a lengthy investigation, Mozilla engineers accused WoSign of:

    Backdating certificates so it could still let customers present certs using insecure SHA-1 crypto,
    Concealing its ownership of Israeli certificate authority (CA) StartCom, and
    Letting StartCom issue backdated SHA-1 certs.

    Apple has decided that iOS and macOS will no longer trust new intermediate certificates from WoSign (delivered through StartCom and Comodo – there’s that name again).

    “Apple products will no longer trust the WoSign CA Free SSL Certificate G2 intermediate CA,”

    The decision will be implemented in the next round of security updates.

    Reply
  4. Tomi Engdahl says:

    Mozilla Distrusts Certificates From WoSign, StartCom
    http://www.securityweek.com/mozilla-distrusts-certificates-wosign-startcom

    Mozilla has decided to revoke trust in new WoSign and StartCom certificates, despite the steps taken by the companies in an effort to address the issues found by the web browser vendor.

    Mozilla recently unveiled a proposal to ban certificates issued by Chinese certificate authority WoSign and its subsidiary StartCom for one year due to more than a dozen problems identified since January 2015.

    The most serious issues found by Mozilla are related to backdated certificates and the fact that WoSign did not inform the browser vendor that it had acquired Israel-based StartCom.

    Despite these and other changes, Mozilla has decided to ban new certificates from both WoSign and StartCom due to the “levels of deception demonstrated by representatives of the combined company.”

    “If you receive a certificate from one of these two CAs after October 21, 2016, your certificate will not validate in Mozilla products such as Firefox 51 and later, until these CAs provide new root certificates with different Subject Distinguished Names, and you manually import the root certificate that your certificate chains up to,” the Mozilla Security Team said in a blog post. “Consumers of your website will also have to manually import the new root certificate until it is included by default in Mozilla’s root store.”

    Reply
  5. Tomi Engdahl says:

    Google to Distrust WoSign, StartCom Certificates
    http://www.securityweek.com/google-distrust-wosign-startcom-certificates

    Google announced on Monday that it has decided to distrust certificates from WoSign and StartCom due to their failure to maintain the high standards expected of certificate authorities (CAs).

    Google joins Apple and Mozilla, which also decided to revoke trust in WoSign and StartCom certificates after the Chinese CA and its subsidiary were involved in more than a dozen incidents since January 2015. Web browser vendors are mainly unhappy that the companies backdated some certificates to bypass restrictions, and they did not inform them about StartCom’s acquisition by WoSign.

    “For both CAs, we have concluded there is a pattern of issues and incidents that indicate an approach to security that is not in concordance with the responsibilities of a publicly trusted CA,” said Google’s Andrew Whalley.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*