Apple, google and Mozilla disavow WoSign and StartCom certificates

[zMeul]

source: https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html

what happened:

Quote

On August 17, 2016, Google was notified by GitHub's security team that WoSign had issued a certificate for one of GitHub's domains without their authorization. This prompted an investigation, conducted in public as a collaboration with Mozilla and the security community, which found a number of other cases of WoSign misissuance.

The investigation concluded that WoSign knowingly and intentionally misissued certificates in order to circumvent browser restrictions and CA requirements. Further, it determined that StartCom, another CA, had been purchased by WoSign, and had replaced infrastructure, staff, policies, and issuance systems with WoSign's. When presented with this evidence, WoSign and StartCom management actively attempted to mislead the browser community about the acquisition and the relationship of these two companies. For both CAs, we have concluded there is a pattern of issues and incidents that indicate an approach to security that is not in concordance with the responsibilities of a publicly trusted CA.

 

what will Apple do :https://support.apple.com/en-us/HT204132

Quote

In light of these findings, we are taking action to protect users in an upcoming security update.  Apple products will no longer trust the WoSign CA Free SSL Certificate G2 intermediate CA.

To avoid disruption to existing WoSign certificate holders and to allow their transition to trusted roots, Apple products will trust individual existing certificates issued from this intermediate CA and published to public Certificate Transparency log servers by 2016-09-19. They will continue to be trusted until they expire, are revoked, or are untrusted at Apple’s discretion.

As the investigation progresses, we will take further action on WoSign/StartCom trust anchors in Apple products as needed to protect users.

 

what will google do:

Quote

Beginning with Chrome 56, certificates issued by WoSign and StartCom after October 21, 2016 00:00:00 UTC will not be trusted. Certificates issued before this date may continue to be trusted, for a time, if they comply with the Certificate Transparency in Chrome policy or are issued to a limited set of domains known to be customers of WoSign and StartCom.

Due to a number of technical limitations and concerns, Google Chrome is unable to trust all pre-existing certificates while ensuring our users are sufficiently protected from further misissuance. As a result of these changes, customers of WoSign and StartCom may find their certificates no longer work in Chrome 56.

In subsequent Chrome releases, these exceptions will be reduced and ultimately removed, culminating in the full distrust of these CAs.

 

Mozilla's response: https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/

 

Quote

1. Distrust certificates with a notBefore date after October 21, 2016 which chain up to the following affected roots. If additional back-dating is discovered (by any means) to circumvent this control, then Mozilla will immediately and permanently revoke trust in the affected roots.
   • This change will go into the Firefox 51 release train.
   • The code will use the following Subject Distinguished Names to identify the root certificates, so that the control will also apply to cross-certificates of these roots.
     • CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN
     • CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN
     • CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, C=CN
     • CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN
     • CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
     • CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL
2. Add the previously identified backdated SHA-1 certificates chaining up to these affected roots to OneCRL.
3. No longer accept audits carried out by Ernst & Young Hong Kong.
4. Remove these affected root certificates from Mozilla’s root store at some point in the future. If the CA’s new root certificates are accepted for inclusion, then Mozilla may coordinate the removal date with the CA’s plans to migrate their customers to the new root certificates. Otherwise, Mozilla may choose to remove them at any point after March 2017.
5. Mozilla reserves the right to take further or alternative action.

 

Certificate Authorities (CA) - an entity that issues digital certificates to website operators

digital certificate - certifies the ownership; these certificates are trusted by browsers to authenticate secure connections to websites

 

----

 

StartCom "is" a company based in Eilat, Israel that has three main activities:

• StartCom Linux Enterprise (Linux distribution),
• StartSSL (CA)
• MediaHost (web hosting)

StartCom was acquired in secrecy by WoSign Limited (China) through multiple companies

 

the Heartbleed exploit: back in 2014 StartCom refused to revoke the affected certificates for free even after provided with proof those issued certificates were compromised; they asked 25$ for each revoked certificate

[tlink]

there's a typo in the title,  gogole

[LAwLz]

That is a major fuckup. I am glad that they are getting slapped on the wrist so hard their hands broke. 

[Atmos]

And so another corrupt tech super pact comes crashing down around our ankles.

 

Now we just need google to focus on getting people that dank google fiber, help kick the ever loving shit out of the horrid isp's we have here in the US.

[Bouzoo]

19 minutes ago, LAwLz said:

That is a major fuckup. I am glad that they are getting slapped on the wrist so hand their hands broke. 

I suppose you meant hard?

[Technous285]

6 hours ago, Atmos said:

And so another corrupt tech super pact comes crashing down around our ankles.

 

Now we just need google to focus on getting people that dank google fiber, help kick the ever loving shit out of the horrid isp's we have here in the US.

Hell, I'd vote Google to be our Overlord here in Australia for proper 100+mbps (down ~AND~ up!) fibre nation-wide instead of this 25/5mbps MTN (Mixed-Tech Network) NBN crap (hint: ADSL 2+ is 24/3mbps), where we might have fibre trunks, but unless you've already got fibre in the street OR are building a new development; you're gonna be stuck on FTTN with Copper or HFC (hybrid fibre-coax) in the street... At least if you're in an area which they aren't just gonna cut off the old phone exchange and put the whole town on NBN Wireless with the same 25/5mbps (even fucking Mobile Broadband on 4G is 25mbps each way and 4GX is 50-75mbps each way!).

 

Sadly, most towns that are more rural than urban (eg: 95% of the Riverina in NSW to start with) will be getting NBN Wireless even if the fibre trunk runs through the town along the same path the old copper trunk did!

[Slyhawk]

5 hours ago, Technous285 said:

Hell, I'd vote Google to be our Overlord here in Australia for proper 100+mbps (down ~AND~ up!) fibre nation-wide instead of this 25/5mbps MTN (Mixed-Tech Network) NBN crap (hint: ADSL 2+ is 24/3mbps), where we might have fibre trunks, but unless you've already got fibre in the street OR are building a new development; you're gonna be stuck on FTTN with Copper or HFC (hybrid fibre-coax) in the street... At least if you're in an area which they aren't just gonna cut off the old phone exchange and put the whole town on NBN Wireless with the same 25/5mbps (even fucking Mobile Broadband on 4G is 25mbps each way and 4GX is 50-75mbps each way!).

 

Sadly, most towns that are more rural than urban (eg: 95% of the Riverina in NSW to start with) will be getting NBN Wireless even if the fibre trunk runs through the town along the same path the old copper trunk did!

Yep i would pay a good amount for google fiber the last 2 months optus has been doing some "work" and our speeds went from 90mpbs to 10mpbs and we have a cap. how is it possible that my 4g(I get 40/20) is faster than most land line Internet.

[Technous285]

21 minutes ago, Slyhawk said:

Yep i would pay a good amount for google fiber the last 2 months optus has been doing some "work" and our speeds went from 90mpbs to 10mpbs and we have a cap. how is it possible that my 4g(I get 40/20) is faster than most land line Internet.

Mate, I'm living on 8032/384 kbps (as read at the modem, that's barely 8mbps down) "ADSL 1" because of the local Telstra phone exchange being 30+ years old and it should have been replaced 10-15 years ago. All whilst I'm paying $89.90 AUD/month to Westnet for 350GB/month at "up to" ADSL 2+ (24/3mbps) speeds (grandfathered 300GB/month plan, changed from Peak/Off-Peak to Anytime and 50GB/month added when they realigned their offerings), which is the best Westnet can offer me on Telstra's hardware without going to NBN Satellite (at least until NBN Wireless rolls out to me).

 

I love Westnet and have been with them since 2007, but Telstra doesn't really give a flying crap about their exchanges and line pits (had one in Junee that'd flood every damn time it rained harder than a mild drizzle, and it'd cut the street above the pit until drained, before Telstra finally replaced the gear back in 2012.) unless you're in a place like Wagga.