The investigation into WoSign is bringing more failures to light.
One of the more troubling breaches of Certificate Authority (CA) trust has been unfolding on Mozilla’s Security Policy forum over the past few weeks. In August, it was discovered that the Chinese CA, WoSign, had issued SSL certificates signed with the SHA-1 algorithm, which has been forbidden by industry requirements since the beginning of 2016.
Complicating things further, the mis-issued certificates had been back-dated in order to appear as if they were issued in 2015 – at a time when SHA-1 was still permissible – allowing the certificates to circumvent browsers’ measures to block those certificates. We covered the original violation late last month.
This initial incident prompted a closer look at WoSign’s issuance practices, and has opened a veritable Pandora’s box, revealing a number of other violations. Mozilla has documented 12 different issues, more than half of which constitute major violations of industry standards. One of the most alarming discoveries was that WoSign’s system allowed users to add arbitrary domains to their certificate without proving ownership over them. This violates one of the most fundamental principles of internet PKI: that users have proved ownership of the requested domains in their certificate.
There have also been allegations that WoSign mis-issued a certificate for alicdn.com – a site operated by AliBaba, China’s biggest eCommerce company. It is not yet known if this certificate was improperly issued, and Mozilla is still investigating how the certificates was issued.
On September 4th, WoSign released a formal incident report addressing a handful of the violations that have been discovered. The 20-page report attempted to explain the manner in which these violations had occurred in addition to outlining WoSign’s response and solutions. However, the report raised even more questions, including why it failed to acknowledge other known issues.
Mozilla has also shared evidence that WoSign has allegedly acquired another CA, the Israeli company Startcom, in late 2015. The relationship between WoSign and Startcom has been questioned since it was discovered that certificates signed by WoSign could be acquired through Startcom’s StartEncrypt software.
Neither WoSign nor Startcom publicly announced the acquisition. While CAs are often acquired by competitors, it is unusual for it to be done in secret. Gervase Markham, a member of Mozilla’s CA team, notes that while “none of what is described is illegal,” failure to disclose a change of corporate ownership does violate Mozilla’s CA policy requirements and the bylaws of the Certificate Authority & Browser Forum (CA/B Forum). Both CAs have continued to vote in the CA/B Forum as separate parties since the alleged acquisition.
Despite legal incorporation documents stating otherwise, Wosign’s CEO Richard Wang is maintaining that an acquisition has not (yet) occurred. Wang wrote “an announcement and disclosure will be made shortly pending completion of the business transaction.”
The entire incident has been a cat and mouse game. Every time WoSign discloses a violation, more problems are found that WoSign missed or failed to disclose. Despite the increased scrutiny, WoSign has continued to give incomplete and imprecise responses. The thread where these incidents are being discussed with WoSign’s CEO Richard Wang has already passed 180 posts and the tone has taken a noticeably negative shift in recent days.
It is still not known how major browsers will respond to WoSign’s violations, but members of the browser community have expressed concern that WoSign does not appear to have a strong awareness of its own operations as a CA, what certificates it is issuing, and how those certificates are being validated. If WoSign is untrusted it will essentially be the end of their business as a CA.
Discussions of WoSign’s misconduct have been going on for a month now, and WoSign’s CEO is hoping that the company can soon move past this episode.
“Unfortunately,” wrote Markham, “I think we may be only beginning.”