Woes Worsen for WoSign
The investigation into WoSign is bringing more failures to light.
One of the more troubling breaches of Certificate Authority (CA) trust has been unfolding on Mozilla’s Security Policy forum over the past few weeks. In August, it was discovered that the Chinese CA, WoSign, had issued SSL certificates signed with the SHA-1 algorithm, which has been forbidden by industry requirements since the beginning of 2016.
Complicating things further, the mis-issued certificates had been back-dated in order to appear as if they were issued in 2015 – at a time when SHA-1 was still permissible – allowing the certificates to circumvent browsers’ measures to block those certificates. We covered the original violation late last month.
This initial incident prompted a closer look at WoSign’s issuance practices, and has opened a veritable Pandora’s box, revealing a number of other violations. Mozilla has documented 12 different issues, more than half of which constitute major violations of industry standards. One of the most alarming discoveries was that WoSign’s system allowed users to add arbitrary domains to their certificate without proving ownership over them. This violates one of the most fundamental principles of internet PKI: that users have proved ownership of the requested domains in their certificate.
There have also been allegations that WoSign mis-issued a certificate for alicdn.com – a site operated by AliBaba, China’s biggest eCommerce company. It is not yet known if this certificate was improperly issued, and Mozilla is still investigating how the certificates was issued.
On September 4th, WoSign released a formal incident report addressing a handful of the violations that have been discovered. The 20-page report attempted to explain the manner in which these violations had occurred in addition to outlining WoSign’s response and solutions. However, the report raised even more questions, including why it failed to acknowledge other known issues.
Mozilla has also shared evidence that WoSign has allegedly acquired another CA, the Israeli company Startcom, in late 2015. The relationship between WoSign and Startcom has been questioned since it was discovered that certificates signed by WoSign could be acquired through Startcom’s StartEncrypt software.
Neither WoSign nor Startcom publicly announced the acquisition. While CAs are often acquired by competitors, it is unusual for it to be done in secret. Gervase Markham, a member of Mozilla’s CA team, notes that while “none of what is described is illegal,” failure to disclose a change of corporate ownership does violate Mozilla’s CA policy requirements and the bylaws of the Certificate Authority & Browser Forum (CA/B Forum). Both CAs have continued to vote in the CA/B Forum as separate parties since the alleged acquisition.
Despite legal incorporation documents stating otherwise, Wosign’s CEO Richard Wang is maintaining that an acquisition has not (yet) occurred. Wang wrote “an announcement and disclosure will be made shortly pending completion of the business transaction.”
The entire incident has been a cat and mouse game. Every time WoSign discloses a violation, more problems are found that WoSign missed or failed to disclose. Despite the increased scrutiny, WoSign has continued to give incomplete and imprecise responses. The thread where these incidents are being discussed with WoSign’s CEO Richard Wang has already passed 180 posts and the tone has taken a noticeably negative shift in recent days.
It is still not known how major browsers will respond to WoSign’s violations, but members of the browser community have expressed concern that WoSign does not appear to have a strong awareness of its own operations as a CA, what certificates it is issuing, and how those certificates are being validated. If WoSign is untrusted it will essentially be the end of their business as a CA.
Discussions of WoSign’s misconduct have been going on for a month now, and WoSign’s CEO is hoping that the company can soon move past this episode.
“Unfortunately,” wrote Markham, “I think we may be only beginning.”
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown