Woes Worsen for WoSign
The investigation into WoSign is bringing more failures to light.
One of the more troubling breaches of Certificate Authority (CA) trust has been unfolding on Mozilla’s Security Policy forum over the past few weeks. In August, it was discovered that the Chinese CA, WoSign, had issued SSL certificates signed with the SHA-1 algorithm, which has been forbidden by industry requirements since the beginning of 2016.
Complicating things further, the mis-issued certificates had been back-dated in order to appear as if they were issued in 2015 – at a time when SHA-1 was still permissible – allowing the certificates to circumvent browsers’ measures to block those certificates. We covered the original violation late last month.
This initial incident prompted a closer look at WoSign’s issuance practices, and has opened a veritable Pandora’s box, revealing a number of other violations. Mozilla has documented 12 different issues, more than half of which constitute major violations of industry standards. One of the most alarming discoveries was that WoSign’s system allowed users to add arbitrary domains to their certificate without proving ownership over them. This violates one of the most fundamental principles of internet PKI: that users have proved ownership of the requested domains in their certificate.
There have also been allegations that WoSign mis-issued a certificate for alicdn.com – a site operated by AliBaba, China’s biggest eCommerce company. It is not yet known if this certificate was improperly issued, and Mozilla is still investigating how the certificates was issued.
On September 4th, WoSign released a formal incident report addressing a handful of the violations that have been discovered. The 20-page report attempted to explain the manner in which these violations had occurred in addition to outlining WoSign’s response and solutions. However, the report raised even more questions, including why it failed to acknowledge other known issues.
Mozilla has also shared evidence that WoSign has allegedly acquired another CA, the Israeli company Startcom, in late 2015. The relationship between WoSign and Startcom has been questioned since it was discovered that certificates signed by WoSign could be acquired through Startcom’s StartEncrypt software.
Neither WoSign nor Startcom publicly announced the acquisition. While CAs are often acquired by competitors, it is unusual for it to be done in secret. Gervase Markham, a member of Mozilla’s CA team, notes that while “none of what is described is illegal,” failure to disclose a change of corporate ownership does violate Mozilla’s CA policy requirements and the bylaws of the Certificate Authority & Browser Forum (CA/B Forum). Both CAs have continued to vote in the CA/B Forum as separate parties since the alleged acquisition.
Despite legal incorporation documents stating otherwise, Wosign’s CEO Richard Wang is maintaining that an acquisition has not (yet) occurred. Wang wrote “an announcement and disclosure will be made shortly pending completion of the business transaction.”
The entire incident has been a cat and mouse game. Every time WoSign discloses a violation, more problems are found that WoSign missed or failed to disclose. Despite the increased scrutiny, WoSign has continued to give incomplete and imprecise responses. The thread where these incidents are being discussed with WoSign’s CEO Richard Wang has already passed 180 posts and the tone has taken a noticeably negative shift in recent days.
It is still not known how major browsers will respond to WoSign’s violations, but members of the browser community have expressed concern that WoSign does not appear to have a strong awareness of its own operations as a CA, what certificates it is issuing, and how those certificates are being validated. If WoSign is untrusted it will essentially be the end of their business as a CA.
Discussions of WoSign’s misconduct have been going on for a month now, and WoSign’s CEO is hoping that the company can soon move past this episode.
“Unfortunately,” wrote Markham, “I think we may be only beginning.”
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown