Jump to content
zMeul

Apple, google and Mozilla disavow WoSign and StartCom certificates

Recommended Posts

Posted · Original PosterOP

source: https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html

what happened:

Quote

On August 17, 2016, Google was notified by GitHub's security team that WoSign had issued a certificate for one of GitHub's domains without their authorization. This prompted an investigation, conducted in public as a collaboration with Mozilla and the security community, which found a number of other cases of WoSign misissuance.


The investigation concluded that WoSign knowingly and intentionally misissued certificates in order to circumvent browser restrictions and CA requirements. Further, it determined that StartCom, another CA, had been purchased by WoSign, and had replaced infrastructure, staff, policies, and issuance systems with WoSign's. When presented with this evidence, WoSign and StartCom management actively attempted to mislead the browser community about the acquisition and the relationship of these two companies. For both CAs, we have concluded there is a pattern of issues and incidents that indicate an approach to security that is not in concordance with the responsibilities of a publicly trusted CA.

 

what will Apple do :https://support.apple.com/en-us/HT204132

Quote

In light of these findings, we are taking action to protect users in an upcoming security update.  Apple products will no longer trust the WoSign CA Free SSL Certificate G2 intermediate CA.


To avoid disruption to existing WoSign certificate holders and to allow their transition to trusted roots, Apple products will trust individual existing certificates issued from this intermediate CA and published to public Certificate Transparency log servers by 2016-09-19. They will continue to be trusted until they expire, are revoked, or are untrusted at Apple’s discretion.


As the investigation progresses, we will take further action on WoSign/StartCom trust anchors in Apple products as needed to protect users.

 

what will google do:

Quote

Beginning with Chrome 56, certificates issued by WoSign and StartCom after October 21, 2016 00:00:00 UTC will not be trusted. Certificates issued before this date may continue to be trusted, for a time, if they comply with the Certificate Transparency in Chrome policy or are issued to a limited set of domains known to be customers of WoSign and StartCom.


Due to a number of technical limitations and concerns, Google Chrome is unable to trust all pre-existing certificates while ensuring our users are sufficiently protected from further misissuance. As a result of these changes, customers of WoSign and StartCom may find their certificates no longer work in Chrome 56.


In subsequent Chrome releases, these exceptions will be reduced and ultimately removed, culminating in the full distrust of these CAs.

 

Mozilla's response: https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/

 

Quote
  1. Distrust certificates with a notBefore date after October 21, 2016 which chain up to the following affected roots. If additional back-dating is discovered (by any means) to circumvent this control, then Mozilla will immediately and permanently revoke trust in the affected roots.
    • This change will go into the Firefox 51 release train.
    • The code will use the following Subject Distinguished Names to identify the root certificates, so that the control will also apply to cross-certificates of these roots.
      • CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN
      • CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN
      • CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, C=CN
      • CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN
      • CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
      • CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL
  2. Add the previously identified backdated SHA-1 certificates chaining up to these affected roots to OneCRL.
  3. No longer accept audits carried out by Ernst & Young Hong Kong.
  4. Remove these affected root certificates from Mozilla’s root store at some point in the future. If the CA’s new root certificates are accepted for inclusion, then Mozilla may coordinate the removal date with the CA’s plans to migrate their customers to the new root certificates. Otherwise, Mozilla may choose to remove them at any point after March 2017.
  5. Mozilla reserves the right to take further or alternative action.

 

Certificate Authorities (CA) - an entity that issues digital certificates to website operators

digital certificate - certifies the ownership; these certificates are trusted by browsers to authenticate secure connections to websites

 

----

 

StartCom "is" a company based in Eilat, Israel that has three main activities:

  • StartCom Linux Enterprise (Linux distribution),
  • StartSSL (CA)
  • MediaHost (web hosting)

StartCom was acquired in secrecy by WoSign Limited (China) through multiple companies

 

the Heartbleed exploit: back in 2014 StartCom refused to revoke the affected certificates for free even after provided with proof those issued certificates were compromised; they asked 25$ for each revoked certificate

Link to post
Share on other sites

Glad I’m not with them… Let’sEncrypt is where it’s at! 😜


The one and only CPU Buyer’s Guide??owl??The LGBT CommunityPower user of Arch Linux

〜 Some day, we’ll all be free 〜 Some day, we’ll live as one family in sweet harmony 〜

 

【㆒ACTIVE】HENEN–NESW

CPU: Intel Core i3–6100 (CPUMark ~5,474)  RAM: 1× 16GiB Corsair Vengeance LPX DDR4 DIMMs, CL12 @ 2400MHz  Motherboard: EVGA Z170 Stinger mainboard  Storage: Intel 535 Series 240GB SATA III SSD  PSU: SeaSonic® 400W 80+ Platinum fanless modular ATX unit  Display: 27” 1440p 16:9 ASUS PB278Q +  IPS LCD 22” 1080p 16:9 AOC i2267Fw IPS LCD  Keyboard: Qisan Magicforce 68-key backlit keyboard + Cherry MX Brown switches Mouse: Lenovo ThinkPad wireless laser mouse OS: Crunchbang-like Arch Linux x86-64

【㆒ACTIVE】SENUSRET (Lenovo ThinkPad Yoga)

CPU: Intel Core i5-4200U (CPUMark ~3,267) RAM: 8GiB soldered DDR3L RAM Storage: Unknown 128GB SATA III SSD Display: 12.5” 1080p 16:9 built-in IPS multitouch LCD OS: RemixOS (Android for PC), version 3.0.207

【RETIRED】TYRE

CPU: Intel Core 2 Quad Q8200 (CPUMark ~2,826)  Motherboard: Gateway/Acer OEM, µATX-compatible proprietary forme factor RAM: 4× 2GiB Green-PCB Generic DDR2 DIMMs  Storage: 500GB WD Green replacement HDD OS: Microsoft Windows Vista SP2

【㆒ACTIVE】WASET (Sony VAIO)

CPU: Intel Core i5–2450M (CPUMark ~3,404)  RAM: 2× 4GiB Green-PCB Samsung DDR3 SODIMMs  Storage: Intel 520 Series “Cherryville” 120GB SSD + WD Black 2.5” 750GB HDD  Display: 14” 768p 16:9 built-in TN LCD  OS: Crunchbang-like Arch Linux x86-64

Link to post
Share on other sites

And so another corrupt tech super pact comes crashing down around our ankles.

 

Now we just need google to focus on getting people that dank google fiber, help kick the ever loving shit out of the horrid isp's we have here in the US.


Updated Build 2016 | 4790K @4.7ghz | 2x Gigabyte G1 R9 390 (Do Not Buy These!) | 16gb 1866mhz DDR3 Corsair Vengance | ASRock Pro4 | Case: TBD | Acer k272hul | Sennheiser 558 + Marantz  MPM-2000u Condensor Mic

Link to post
Share on other sites
19 minutes ago, LAwLz said:

That is a major fuckup. I am glad that they are getting slapped on the wrist so hand their hands broke. 

I suppose you meant hard?


The ability to google properly is a skill of its own. 

Link to post
Share on other sites
6 hours ago, Atmos said:

And so another corrupt tech super pact comes crashing down around our ankles.

 

Now we just need google to focus on getting people that dank google fiber, help kick the ever loving shit out of the horrid isp's we have here in the US.

Hell, I'd vote Google to be our Overlord here in Australia for proper 100+mbps (down ~AND~ up!) fibre nation-wide instead of this 25/5mbps MTN (Mixed-Tech Network) NBN crap (hint: ADSL 2+ is 24/3mbps), where we might have fibre trunks, but unless you've already got fibre in the street OR are building a new development; you're gonna be stuck on FTTN with Copper or HFC (hybrid fibre-coax) in the street... At least if you're in an area which they aren't just gonna cut off the old phone exchange and put the whole town on NBN Wireless with the same 25/5mbps (even fucking Mobile Broadband on 4G is 25mbps each way and 4GX is 50-75mbps each way!).

 

Sadly, most towns that are more rural than urban (eg: 95% of the Riverina in NSW to start with) will be getting NBN Wireless even if the fibre trunk runs through the town along the same path the old copper trunk did!


Spoiler

Main Rig: Monsuta (Build log). Old Systems: Tinker, Beast & Lappy.

Spoiler

OS: Windows 7 Ultimate/ZorinOS 9. CPU: i7-3770K (OC'd at 4.2GHz with 42x Multi + 100MHz Bclk). Mobo: ASRock Z77 Extreme 6. RAM: 32GB (4x8GB kit) Corsair Vengeance 1600MHz DDR3. GPU: 6GB EVGA GTX780 SC ACX. Storage: 16TB (4x4TB) Seagate Barracudas. Case: CoolerMaster HAF Stacker 945 (915R+925+915F). PSU: 750W Thermaltake EVO Blue. Cooling: EKWB X360 kit + EKWB GTX780 block & (gold) backplate + EK-XRES 140 DDC 3.2 PWM Elite (incl. pump) + EK CoolStream XE 360/6x EK Vardar 120mm Fan F4-120ER 2200RPM Black (3 pushing through Rad 1, 3 pulling through Rad 2). Optical: ASUS DRW-24B3LT/LG BH16NS40 16X BD-R. Monitor(s): 2x LG Flatron E2441.

Spoiler
Lenovo L520, running Win7Pro/ZorinOS 9, 8GB DDR3, otherwise stock)

 

Link to post
Share on other sites
5 hours ago, Technous285 said:

Hell, I'd vote Google to be our Overlord here in Australia for proper 100+mbps (down ~AND~ up!) fibre nation-wide instead of this 25/5mbps MTN (Mixed-Tech Network) NBN crap (hint: ADSL 2+ is 24/3mbps), where we might have fibre trunks, but unless you've already got fibre in the street OR are building a new development; you're gonna be stuck on FTTN with Copper or HFC (hybrid fibre-coax) in the street... At least if you're in an area which they aren't just gonna cut off the old phone exchange and put the whole town on NBN Wireless with the same 25/5mbps (even fucking Mobile Broadband on 4G is 25mbps each way and 4GX is 50-75mbps each way!).

 

Sadly, most towns that are more rural than urban (eg: 95% of the Riverina in NSW to start with) will be getting NBN Wireless even if the fibre trunk runs through the town along the same path the old copper trunk did!

Yep i would pay a good amount for google fiber the last 2 months optus has been doing some "work" and our speeds went from 90mpbs to 10mpbs and we have a cap. how is it possible that my 4g(I get 40/20) is faster than most land line Internet.


New: PCPartPicker part list

Old:Intel® Core2 Quad CPU Q8400 @ 2.66GHz, GIGABYTE GA-EP43T-UD3L, 4 GB Elixir PC3 ddr3-1333,  ASUS RADEON R7 260X, Thermaltake M9, 1TB HDD, GreatWall GW550SEL 550 WATT, BENQ GW2255, Hyper T4, Samson SR950 Headphones, fiio ek10.

Link to post
Share on other sites
21 minutes ago, Slyhawk said:

Yep i would pay a good amount for google fiber the last 2 months optus has been doing some "work" and our speeds went from 90mpbs to 10mpbs and we have a cap. how is it possible that my 4g(I get 40/20) is faster than most land line Internet.

Mate, I'm living on 8032/384 kbps (as read at the modem, that's barely 8mbps down) "ADSL 1" because of the local Telstra phone exchange being 30+ years old and it should have been replaced 10-15 years ago. All whilst I'm paying $89.90 AUD/month to Westnet for 350GB/month at "up to" ADSL 2+ (24/3mbps) speeds (grandfathered 300GB/month plan, changed from Peak/Off-Peak to Anytime and 50GB/month added when they realigned their offerings), which is the best Westnet can offer me on Telstra's hardware without going to NBN Satellite (at least until NBN Wireless rolls out to me).

 

I love Westnet and have been with them since 2007, but Telstra doesn't really give a flying crap about their exchanges and line pits (had one in Junee that'd flood every damn time it rained harder than a mild drizzle, and it'd cut the street above the pit until drained, before Telstra finally replaced the gear back in 2012.) unless you're in a place like Wagga.


Spoiler

Main Rig: Monsuta (Build log). Old Systems: Tinker, Beast & Lappy.

Spoiler

OS: Windows 7 Ultimate/ZorinOS 9. CPU: i7-3770K (OC'd at 4.2GHz with 42x Multi + 100MHz Bclk). Mobo: ASRock Z77 Extreme 6. RAM: 32GB (4x8GB kit) Corsair Vengeance 1600MHz DDR3. GPU: 6GB EVGA GTX780 SC ACX. Storage: 16TB (4x4TB) Seagate Barracudas. Case: CoolerMaster HAF Stacker 945 (915R+925+915F). PSU: 750W Thermaltake EVO Blue. Cooling: EKWB X360 kit + EKWB GTX780 block & (gold) backplate + EK-XRES 140 DDC 3.2 PWM Elite (incl. pump) + EK CoolStream XE 360/6x EK Vardar 120mm Fan F4-120ER 2200RPM Black (3 pushing through Rad 1, 3 pulling through Rad 2). Optical: ASUS DRW-24B3LT/LG BH16NS40 16X BD-R. Monitor(s): 2x LG Flatron E2441.

Spoiler
Lenovo L520, running Win7Pro/ZorinOS 9, 8GB DDR3, otherwise stock)

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.


×