Jump to content

Mozilla: Distrusting New WoSign and StartCom Certificates


Batu69

Recommended Posts

Mozilla has discovered that a Certificate Authority (CA) called WoSign has had a number of technical and management failures. Most seriously, we discovered they were backdating SSL certificates in order to get around the deadline that CAs stop issuing SHA-1 SSL certificates by January 1, 2016. Additionally, Mozilla discovered that WoSign had acquired full ownership of another CA called StartCom and failed to disclose this, as required by Mozilla policy.

 

The representatives of WoSign and StartCom denied and continued to deny both of these allegations until sufficient data was collected to demonstrate that both allegations were correct. The levels of deception demonstrated by representatives of the combined company have led to Mozilla’s decision to distrust future certificates chaining up to the currently-included WoSign and StartCom root certificates.

 

Specifically, Mozilla is taking the following actions:

  1. Distrust certificates with a notBefore date after October 21, 2016 which chain up to the following affected roots. If additional back-dating is discovered (by any means) to circumvent this control, then Mozilla will immediately and permanently revoke trust in the affected roots.
    • This change will go into the Firefox 51 release train.
    • The code will use the following Subject Distinguished Names to identify the root certificates, so that the control will also apply to cross-certificates of these roots.
      • CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN
      • CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN
      • CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, C=CN
        CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN
      • CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
      • CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL
  2. Add the previously identified backdated SHA-1 certificates chaining up to these affected roots to OneCRL.
  3. No longer accept audits carried out by Ernst & Young Hong Kong.
  4. Remove these affected root certificates from Mozilla’s root store at some point in the future. If the CA’s new root certificates are accepted for inclusion, then Mozilla may coordinate the removal date with the CA’s plans to migrate their customers to the new root certificates. Otherwise, Mozilla may choose to remove them at any point after March 2017.
  5. Mozilla reserves the right to take further or alternative action.

If you receive a certificate from one of these two CAs after October 21, 2016, your certificate will not validate in Mozilla products such as Firefox 51 and later, until these CAs provide new root certificates with different Subject Distinguished Names, and you manually import the root certificate that your certificate chains up to.

 

Consumers of your website will also have to manually import the new root certificate until it is included by default in Mozilla’s root store.

Each of these CAs may re-apply for inclusion of new (replacement) root certificates as described in Bug #1311824 for WoSign, and Bug #1311832 for StartCom.

 

We believe that this response is consistent with Mozilla policy and is one which we could apply to any other CA that demonstrated similar levels of deception to circumvent Mozilla’s CA Certificate Policy, the CA/Browser Forum’s Baseline Requirements, and direct inquiries from Mozilla representatives.

 

Article source

Link to comment
Share on other sites


  • Replies 7
  • Views 634
  • Created
  • Last Reply
  • Administrator

Still do not understand why would anyone do this. The only guess I can make is that they think they are getting visitors who are running aged browsers and cannot run the newer version of certificates or something like that.

Link to comment
Share on other sites


Simple.  Corruption.  Everything security-wise from China is suspect.  Sorry to be a racist, but that's just the way it is.  I lived there long enough to know, almost nothing is beyond corruption and the hurdle is pretty low.

Link to comment
Share on other sites


21 hours ago, DKT27 said:

Still do not understand why would anyone do this. The only guess I can make is that they think they are getting visitors who are running aged browsers and cannot run the newer version of certificates or something like that.

 

It is all about security and the appearance that something may not be right.  We manually check all certificates we allow on our network and have never allowed any from these two CAs.  When word of this problem first surfaced we double checked the entire network to ensure that one of these certificates had not found its way in somehow but the network was still clean.  The old saying that 'prevention is worth a pound of cure' has never been more true than in computer security.

 

11 hours ago, davmil said:

Simple.  Corruption.  Everything security-wise from China is suspect.  Sorry to be a racist, but that's just the way it is.  I lived there long enough to know, almost nothing is beyond corruption and the hurdle is pretty low.

 

That isn't being racist.  Security trumps everything.  Things from China are suspect.  We do not allow anything on the network we can't vet for security.  Therefore, no Lenovo computers/devices are allowed (including Motorola phones) and no Apple devices (iPhones, iPads, iPods).  We do allow MacBook Pro and iMac up to 2015 models.  

Link to comment
Share on other sites


4 hours ago, pc71520 said:

Is it only China? :think:

 

Actually no, just about 99 and 44/100 percent is about china, the other 56/100 percent is for the rest of the world.  And if you wonder why look no farther than where most electronics are made.  Chips made in foreign countries that do not give outside access to their production process and code cannot be vetted.  In other words, no one can certify them as not having a malicious code programmed into the chip that would possibly steal data and direct it to another entity without the need for any software.  It is always better to be safe than sorry.  Like we tell our employees, we don't care what devices you buy, just be aware that you may not be able to connect it to the network and you won't be able to use them at work.

Link to comment
Share on other sites


Meanwhile, Government Enforcement & Intelligence bodies

brutally violate users' Privacy (with the excuse of Security).

But that's another story; an even worse one.

 

 

 

 

Link to comment
Share on other sites


27 minutes ago, pc71520 said:

Meanwhile, Government Enforcement & Intelligence bodies

brutally violate Privacy (with the excuse of Security).

 

 

 

 

Sadly, that's the shape of the brave new world.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...