WoSign Commits To Certificate Transparency Following Mis-Issuance.
(This story has been updated to reflect new developments after more of WoSign’s past transgressions were brought to light by Mozilla.)
In June, WoSign, China’s largest Certificate Authority (CA), improperly issued a pair of SSL certificates. These certificates violated industry standards and represented a major failing in the CA’s accountability and practices.
The certificates were issued through an API that was not intended to be publicly accessible. The API was discovered by Computest, a Dutch security and performance testing firm. Computest requested and successfully received the two certificates during their investigation. They originally disclosed the incident in July.
The certificates were digitally signed with the SHA-1 hashing algorithm. Signatures are used to ensure the authenticity of an SSL certificate. However, due to SHA-1’s vulnerabilities, it is possible for signatures based on that algorithm to be forged. For that reason, SHA-1 has been officially retired for use with trusted SSL certificates.
As of January 1st of this year, CAs were forbidden from issuing new trusted certificates signed with the SHA-1 algorithm. WoSign had left a system online that was still capable of signing certificates with SHA-1, which could have been used in a malicious attack or been used to create an insecure certificate. Luckily, neither certificate was used maliciously. They were only requested by Computest to test their suspicions. WoSign confirmed that both certificates have been revoked.
When a CA issues a certificate in violation of industry standards that is considered to be a mis-issuance. Anything from improperly encoding data, to entirely failing to authenticate a certificate request, counts as mis-issuance.
More serious violations usually carry punitive action from browser vendors and root programs . Frequently, this means additional oversight or requirements for the non-compliant CA. In the most severe cases of mis-issuance, CAs have been removed from root stores and un-trusted entirely, essentially making their certificates unusable on the internet.
Computest discovered WoSign’s non-compliant API during the course of unrelated research into another CA. At the end of June, Computest found major vulnerabilities in StartCom’s (an Israeli CA) new StartEncrypt software. In their disclosure of StartEncrypt’s problems, Christiaan Ottow described how StartEncrypt had allowed access to WoSign’s API. In 2015 StartCom announced their expansion into China and have a partnership with WoSign.
In an incident report to Mozilla, WoSign’s CEO Richard Wang stated that no one else accessed the API and no additional certificates have been issued. Wang said “we checked our PKI system that only two test cert from Computest issued [sic] this kind of certificate,” in reference to the non-compliant SHA-1 certificates.
There is no evidence that WoSign was intentionally circumventing industry standards. Wang stated that the affected API functionality has been entirely removed.
In response to this mis-issuance, WoSign committed to full participation in Certificate Transparency (CT). CT is a system that creates a public record of issued SSL certificates. It is designed to improve oversight and accountability among CAs. In this case, if it was not for Computest’s research, the affected API in WoSign’s system may not have been discovered or disclosed. It could then have been abused by a malicious actor. Future participation in CT will allow anyone to easily see if Wosign is issuing non-compliant certificates.
Since July 5th, 2016, WoSign has been logging all issued certificates. Currently, participation in CT is mostly optional. By committing to log all of their certificates, WoSign is joining a small number of CAs that are being proactive with transparency.
Update: This morning, Mozilla brought attention to a number of past violations from WoSign.
In a post to their security policy mailing list, Mozilla described two incidents from 2015 in which WoSign improperly followed domain validation procedures.
In light of those events, and this recent SHA-1 mis-issuance, Mozilla has asked for public comments on actions to be taken against WoSign.
WoSign voluntarily committed to full Certificate Transparency logging following June’s mis-issuance. However, it now appears that Mozilla will take further actions against WoSign for their repeated non-compliance.
Last year, another Chinese CA, CNNIC, was untrusted following their widely-publicized mis-issuance for Google domains. CNNIC (China Internet Network Information Centre) is operated by a Chinese state agency.