Apple has decided to untrust a WoSign certificate
It may be hard to believe, but the WoSign/StartCom saga is still ongoing.
If you have not been following the story up to this point, here is a very quick summary: In August, WoSign, a Chinse CA, was found to have violated a series of industry standards. StartCom, an Israeli CA was also found to have some violations of their own. A former StartCom employee then presented evidence that StartCom had been quietly acquired by WoSign. Now the root programs, which dictate what CAs are trusted, are considering how to handle the violations.
If you are looking for more background, see our last update on WoSign’s problems.
Since our last update, Mozilla has published evidence that WoSign purposefully back-dated certificates so they could sign them with SHA-1 and not be detected by browsers. Back-dating refers to setting the “notBefore” field in a certificate (which tells you when a certificate was issued) to an earlier date. It is not explicitly forbidden to back-date certificates, many CAs regularly do this by a day or two to account for inconsistently set local time/date settings on computers. But, in this case, WoSign’s back-dating was a major violation.
SSL certificates use cryptographic signatures to allow computers to prove if a certificate is authentic. SHA-1 was the primary hashing algorithm used for these signatures until the end of last year when overwhelming evidence showed that it was a security risk. SHA-1 has since been forbidden by industry requirements and replaced with SHA-2. However, some industries have had a hard time with the transition due to a lack of SHA-2 support in certain software/hardware.
As a result, a special application has been developed that allows those who need a SHA-1 certificate to get one, albeit through a labor-intensive process. However, it looks like WoSign opted for an easier route for their customers, and tried to secretly violate industry standards.
Through careful analysis and Certificate Transparency data, Mozilla found that WoSign may have issued up to 64 certificates during 2016 which were signed with SHA-1 and backdated to appear as though they were issued in 2015.
By looking at legal incorporation documents, Mozilla has concluded that, “as of November 1st 2015, WoSign took 100% ownership of the Israel-based CA “StartCom,” through intermediary companies in the UK and Hong Kong.”
Mozilla also documented changes in issuance practices that suggest StartCom is using WoSign’s infrastructure.
As a result, Mozilla is planning on treating both CAs as one and applying any sanctions to WoSign and StartCom equally.
Mozilla has not made a final decision on sanctions, but they have proposed to distrust the CAs for a minimum of one year. After which, the CAs could reapply under special conditions, which include a full security audit of their issuance software, and try to regain trusted status. All existing WoSign/StartCom certificates will not be affected. This will minimize the effect to users while still punishing the CA.
The 64 certificates that are suspected of being back-dated will be entirely revoked and added to their OneCRL system.
If Mozilla goes forward with this action, they will be looking at the issuance date (“notBefore”) on the certificates to decide if they should be untrusted. Because the CAs were found backdating certificates, some critics pointed out that this will not prevent further mis-issuance. However, other methods for trusting the existing certificates, such as through a whitelist, are believed to be technically infeasible due to the number of certificates.
Yesterday, Mozilla had an in-person meeting with representatives from StartCom and QiHoo, a Chinese tech firm that owns a majority stake in WoSign. Following that meeting, Mozilla will await a public proposal from WoSign/StartCom before making its final decision.
What Will Other Root Programs Do?
Over the weekend, Apple announced that it will be dis-trusting a specific WoSign intermediate certificate. This means that Apple devices will no longer trust certificates issued from the “WoSign CA Free SSL Certificate G2” certificate.
Most CAs maintain a number of roots and intermediates dedicated to different purposes, for instance different “classes” of certificates (DV, OV, EV) or for different types of public keys (RSA, ECC).
This WoSign intermediate is used for their free certificate program. WoSign’s free SSL certificates were specifically abused by researchers/attackers to issue certificates for Github and UCF.edu without proper authorization.
Similar to Mozilla’s proposed action, Apple will continue to trust existing WoSign certificates. Apple wrote: “To avoid disruption to existing WoSign certificate holders and to allow their transition to trusted roots, Apple products will trust individual existing certificates issued from this intermediate CA and published to public Certificate Transparency log servers by 2016-09-19. They will continue to be trusted until they expire, are revoked, or are untrusted at Apple’s discretion.”
It is unclear exactly how Apple will trust existing certificates. As mentioned earlier, whitelisting existing certificates may be problematic due to the number of certificates. Other methods of checking if the certificate was CT logged will also be difficult.
However, Apple’s decision should be seen as incomplete. There is ample evidence that WoSign has mis-issued certificates from a variety of roots and intermediates. As of now, these other roots and intermediates will remain trusted (such as this certificate which Mozilla believes was back-dated and is trusted on Apple devices via a StartCom cross-sign).
It is unclear why they have limited their action to this specific intermediate certificate. They have also not made any announcement regarding actions against StartCom.
Apple’s root program is generally silent, and terse when it does say anything. So we may never know the reasoning for this. In its statement, Apple said that “as the investigation progresses, we will take further action on WoSign/StartCom trust anchors in Apple products as needed to protect users.”
This leaves two major root programs, Google and Microsoft, who have not made any formal announcements. Google’s team, who is extremely active and public with its decisions, will likely make a formal announcement when WoSign/StartCom have published their proposal following their meeting with Mozilla.
Until then, we wait to see exactly what fate awaits WoSign/StartCom. So far, both CAs are in serious trouble.
UPDATE: Since we originally published this post, Apple and Google have taken new action against WoSign and Startcom.
Apple has expanded their dis-trust to all StartCom and WoSign roots, which they announced on November 30th, 2016. WoSign/StartCom certificates issued before December 1st, 2016 will continue to be trusted.
Google has also decided to untrust all WoSign/StartCom certificates issued after October 21st, 2016. This behavior will apply in Chrome 56. Certificates issued before then will be trusted, but only if they comply with Chrome’s Certificate Transparency policy.
Chrome will also have a limited whitelist of certificates issued to “domains known to be customers of WoSign and StartCom.” These certificates will not need to be CT compliant. However this will only be a temporary measure, designed to give these sites time to transition to a new CA and avoid showing frequent warnings on high-traffic sites.