SSL wosign ssl cert trainwreck

Xon · Aug 31, 2016

An fyi, but it is possible that wosign is going to get a large number of certs blacklisted due to a complete lack of security in their SSL cert issue system.

http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I
The story of how WoSign gave me an SSL certificate for GitHub.com | Schrauger.com

In July 2016, it became clear that there was some problems with the
StartEncrypt automatic issuance service recently deployed by the CA
StartCom. As well as other problems it had, which are outside the scope
of this discussion, changing a simple API parameter in the POST request
on the submission page changed the root certificate to which the
resulting certificate chained up. The value "2" made a certificate
signed by "StartCom Class 1 DV Server CA", "1" selected "WoSign CA Free
SSL Certificate G2" and "0" selected "CA 沃通根证书", another root
certificate owned by WoSign and trusted by Firefox.
Click to expand...

Yikes!

eva2000 · Aug 31, 2016

Yeah been reading about that WoSign SSL certs will probably be rendered useless by web browsers if they keep this up !

I'd be sticking with Comodo for paid and Letsencrypt for free SSL certificates. Centmin Mod's acmetool.sh for letsencrypt integration is coming along nicely Letsencrypt - Official acmetool.sh testing thread for Centmin Mod 123.09beta01 | Centmin Mod Community

eva2000 · Sep 1, 2016

hmm on very old centos 6 32bit seems StartSSL cert is playing up.. wonder if it has started for revoking of StartSSL/WoSign certs heh

Code (Text):

__|| |__    ___   ___ | | __ | \ | |  __ _ (_) _ __  __  __
        | |    | '_ \  / _ \ / __|| |/ / |  \| | / _` || || '_ \ \ \/ /
        | |___ | | | ||  __/| (__ |   <  | |\  || (_| || || | | | >  <
         \____||_| |_| \___| \___||_|\_\ |_| \_| \__, ||_||_| |_|/_/\_\
                                                 |___/              
                   __  __             _         _        
                  |  \/  |  ___    __| | _   _ | |  ___  ___
                  | |\/| | / _ \  / _` || | | || | / _ \/ __|
                  | |  | || (_) || (_| || |_| || ||  __/\__ \
                  |_|  |_| \___/  \__,_| \__,_||_| \___||___/
                                                         

NGX_DYNAMICCHECK nginx_upgrade.inc
/svr-setup

nginx dynamic module support detected

Check for old ngx_pagespeed master branch existence
Check for missing nginx modules
Download ngx-fancyindex-0.4.0.tar.gz ...
--2016-08-31 23:22:49--  https://centminmod.com/centminmodparts/nginx/modules/ngx-fancyindex-0.4.0.tar.gz
Resolving centminmod.com (centminmod.com)... 45.63.18.5
Connecting to centminmod.com (centminmod.com)|45.63.18.5|:443... connected.
ERROR: cannot verify centminmod.com's certificate, issued by ‘CN=StartCom Class 1 DV Server CA,OU=StartCom Certification Authority,O=StartCom Ltd.,C=IL’:
  Unable to locally verify the issuer's authority.
To connect to centminmod.com insecurely, use `--no-check-certificate'.
Error: ngx-fancyindex-0.4.0.tar.gz download failed.
check Centmin Mod log for details at /root/centminlogs/
Aborting script...

disabled dual ECDSA + RSA SSL certs on centminmod.com as ECDSA was from startssl for testing. So back to just Comodo SSL Wildcard for centminmod.com for RSA 2048bit

Code (Text):

* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=*.centminmod.com,OU=GGSSL Wildcard SSL,OU=Domain Control Validated
*       start date: Aug 14 00:00:00 2014 GMT
*       expire date: Aug 13 23:59:59 2017 GMT
*       common name: *.centminmod.com
*       issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

hmm seems to be unrelated and due to wget 1.18 source compile issue for centos 6 32bit only, centos 6 64bit and centos 7 seem fine

for centos 6 32bit need to pass the --ca-certificate file path for some reason

Code (Text):

/usr/local/bin/wget -O /dev/nulll https://centminmod.com/centminmodparts/nginx/modules/ngx-fancyindex-0.4.0.tar.gz --ca-certificate=/etc/pki/tls/certs/ca-bundle.crt

guess need to setup a .wgetrc file for centos 6 32bit systems

eva2000 · Sep 12, 2016

WoSign and StartSSL are in deep dodo crap now CA:WoSign Issues - MozillaWiki

This page lists all confirmed or suspected issues involving the CA "WoSign". It will be updated by Mozilla as more information becomes available. Please do not edit this page yourself; if you have proposed changes, email Gerv.

The issues are in chronological order, and have been re-numbered from the original announcement to use letters with gaps in between, for possible future expansion.
Click to expand...

and more importantly Google Groups - basically StartCOM and thus StartSSL changed ownership and is now owned by WoSigns and they deliberately tried to hide this and failed to report the change to Mozilla

Unless there's some contrary evidence presented by representatives of
StartCom and/or WoSign, it seems that StartCom is a fully-controlled
subsidiary of WoSign, and it should be treated as such. Any sanctions
applied to WoSign-branded roots should thus be similarly applied to
StartCom-branded roots.
Click to expand...

On August 21st, 2015 a new company, also called "StartCom CA Ltd", was
created in the UK.[1] This company will be referred to in this document
as "StartCom UK".

100% of the shares of “StartCom CA Ltd” in the UK are listed as being
owned by "StartCom CA Ltd".[2] This seems circular, but our
understanding is it actually refers to StartCom HK, which has the same
name. StartCom UK is documented as having two directors. One is Gaohua
(Richard) Wang, who will be known to you all as he represents WoSign in
this forum and at the CAB Forum. The other, appointed last month, is
Iñigo Barreira, formerly of the CA Izenpe and now of StartCom.

StartCom HK's 100% ownership appears to give it total control over
StartCom UK, including the ability to hire and fire directors at will,
due to a special clause (#73) in the company formation documents.[3]

StartCom HK's Company Registration Number (CRN) is 2271553, which can be
looked up at the Cyber Search Centre of the Integrated Companies
Registry Information System[4] in Hong Kong. There is a requirement for
registration and a small payment, but the relevant documents have been
provided by Mozilla. These documents show that:

* StartCom HK’s documents list only one director, Gaohua (Richard) Wang.[5]

* StartCom HK’s documents appear to show it is 100% owned (10,000
shares) by “WoSign CA Limited”.[6]

We understand that on or around the 1st of November 2015, ownership of
all of the shares in StartCom IL was transferred from 15 different
shareholders (including the majority shareholder, named Revital Nigg) to
the recently-formed StartCom UK.[7] At around the same time, Gaohua
(Richard) Wang became the sole director of StartCom IL.[8] Details of
these changes can be looked up at the appropriate Israeli governmental
department. They require a payment, but are public records, and the
relevant documents have been provided by Mozilla.

So to summarise our understanding: as of today, StartCom IL (sole
director: Richard Wang) is 100% owned by StartCom UK (two directors:
Richard Wang and Iñigo Barreira), which is 100% owned by StartCom HK
(sole director: Richard Wang), which is 100% owned by the CA WoSign
(CEO: Richard Wang).

It is important to note that there is nothing confidential about any of
the above and none of what is described is illegal. Company ownership
information in these jurisdictions is public information. CAs have been
bought and sold in the past. However, the following aspects of the
situation are problematic:

A) Mozilla's CA policy has a requirement that:

"We require that all CAs whose certificates are distributed with our
software products notify us... when the ownership control of the CA’s
certificate(s) changes, or when ownership control of the CA’s operations
changes."[9]

It seems clear to us from the above account that, if our understanding
is correct, this transaction fits this requirement - ownership control
of the CA's operations has changed, and StartCom is now wholly owned and
controlled by WoSign. However, the change in ownership was not reported
to Mozilla.

B) When questioned, representatives of StartCom and WoSign have
specifically denied that anything had happened which needed to be
reported to Mozilla, even when this particular clause of the policy was
drawn to their attention.
Click to expand...

C) Though browsers were already in the process of investigating this
ownership structure due to independent reports, when a former employee
of StartCom attempted to raise broader awareness of these concerns,
StartCom responded with legal threats. Without taking a position on the
validity of any legal action, we do find it worrying that such
disclosure would be met with denials and what appears to be an attempt
to suppress this public information, as it does not engender confidence
or trust.

Additionally, it is notable that StartCom and WoSign, despite this
relationship, have continued to exercise two votes in the CAB Forum.
Both companies voted on ballots 175, 171, 168, 165, 162, 156 and 153,
all of which were voted on after November 1st 2015. (In no case were
these the deciding votes.) They also provided both endorsers for ballot
175. By contrast, the CA brands Symantec, Verisign and Thawte together
have a single vote because they are controlled by the same company. This
latter behaviour is in line with CAB Forum bylaw 2.2 (b): “Only one vote
per Member company shall be accepted; representatives of corporate
affiliates shall not vote.”[12]

The purpose of the Mozilla rules on ownership transfer disclosure is to
help maintain public trust through transparency. While definitions can
never be watertight and entirely clear, we feel that this transaction is
not in a grey area, and should have been disclosed. 48 hours ago, we
asked representatives of WoSign and StartCom for their comments on these
findings, asking them to respond by 08:00 UTC today, but we have not yet
had a response on this issue.

This issue is recorded as "Issue R" on the list of WoSign issues:
CA:WoSign Issues - MozillaWiki
Click to expand...

Talks of revoking WoSign and now StartSSL from CA trust in browsers would be huge. Everyone owning WoSign or StartSSL certs will have broken and invalid certs !

eva2000 · Sep 12, 2016

Turning nasty now China’s WoSign CA found to threaten users of Let’s Encrypt CA | VPN Service Reviews 2016 | VPNPick.com !

However, users of the free service by Let’s Encrypt CA recently received an email from China’s WoSign CA, threatening users that “If oversea CA faces influences from international political risks and revoke certificates of certain important institutions in China, their system will be in a complete paralysis and affect users’ experience.”
Click to expand...

though maybe lost in translation as i don't see it as threats but heads up warnings

eva2000 · Sep 13, 2016

More interesting reading on WoSign at ca-incidents - Cryto GIT

eva2000 · Sep 27, 2016

first nail in coffin for StartSSL/WoSign SSL certificate users as Firefox/Mozilla plan to distrust their newly issued SSL certificates from their browser WoSign and StartCom - Google Docs

Proposed Action

The above information, along with the list of WoSign issues, makes up the current state of our investigation. We are open to accepting further evidence, including whether there are any significant errors in the above which would affect the narrative, whether there have been any other problems with WoSign or StartCom’s certificate issuance, and also any data relevant to our current view that it is appropriate to treat these two CAs together. However, we also feel it is necessary at this point to take some steps towards a conclusion.

In our policy newsgroup, WoSign proposed that an appropriate response to this list of issues (or the subset of them known at the time they made their proposal, which did not include any of the SHA-1 backdating information) would be to constrain them to issuing in the China market only in future. However, we don’t feel that Mozilla’s users in China have lower requirements for CA trustworthiness than Mozilla’s users elsewhere.

Taking into account all the issues listed above, Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA. Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands.

We plan to distrust only newly-issued certificates to try and reduce the impact on web users, as both of these CA brands have substantial outstanding certificate corpuses. Our proposal is that we determine “newly issued” by examining the notBefore date in the certificates. It is true that this date is chosen by the CA and therefore WoSign/StartCom could back-date certificates to get around this restriction.
Click to expand...

And there is, as we have explained, evidence that they have done this in the past. However, many eyes are on the Web PKI and if such additional back-dating is discovered (by any means), Mozilla will immediately and permanently revoke trust in all WoSign and StartCom roots.

This distrust would remain for a minimum of 1 year. After that time, WoSign/StartCom may be readmitted to the Mozilla trust program, under the following conditions:

A Point-In-Time Readiness Audit (PITRA) from a Mozilla-agreed WebTrust auditor;
A full code security audit of their issuing infrastructure from a Mozilla-chosen security auditor;

100% embedded CT for all issued certificates, logged to at least one Google and one non-Google log not controlled by WoSign/StartCom;
Going through the normal Mozilla inclusion process.

Only certificates issued after the above audits were complete would be trusted. In addition, Mozilla will:

add all of the Macau certificates, including the Tyro ones, to OneCRL immediately; and

no longer accept audits carried out by Ernst & Young (Hong Kong).

Click to expand...

eva2000 · Sep 27, 2016

More news of this

Mozilla wants woeful WoSign certs off the list • The Register

Mozilla Ready to Ban WoSign Certificates for One Year After Shady Behavior

A permanent ban may be applied

Mozilla says this temporary ban will be applied only to newly issued certificates from both companies, and not to certificates already deployed to their customers.

If the two companies don't pass a series of tests after the one-year ban, the Foundation is ready to ban all certificates from both companies for good.
Click to expand...

eva2000 · Oct 2, 2016

the punches keep on landing.. Apple says no to WoSign/StartSSL certs (well their intermediate) too Google Groups

Blocking Trust for WoSign CA Free SSL Certificate G2

Certificate Authority WoSign experienced multiple control failures in their certificate issuance processes for the WoSign CA Free SSL Certificate G2 intermediate CA. Although no WoSign root is in the list of Apple trusted roots, this intermediate CA used cross-signed certificate relationships with StartCom and Comodo to establish trust on Apple products.

In light of these findings, we are taking action to protect users in an upcoming security update. Apple products will no longer trust the WoSign CA Free SSL Certificate G2 intermediate CA.

To avoid disruption to existing WoSign certificate holders and to allow their transition to trusted roots, Apple products will trust individual existing certificates issued from this intermediate CA and published to public Certificate Transparency log servers by 2016-09-19. They will continue to be trusted until they expire, are revoked, or are untrusted at Apple’s discretion.

As the investigation progresses, we will take further action on WoSign/StartCom trust anchors in Apple products as needed to protect users.

Regards,

Apple Root Certificate Program
Click to expand...

eva2000 · Nov 1, 2016

Google has done it SSL - Google Chrome 56+ distrusting WoSign, StartSSL/StartCom SSL certificates ! | Centmin Mod Community

Xon · Nov 1, 2016

Just posted that on xenforo.com too.

Log in / Register

Forums

Welcome to Centmin Mod Community

SSL wosign ssl cert trainwreck

Xon Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Xon Active Member

.

Log in / Register

Useful Searches

Welcome to Centmin Mod Community

SSL wosign ssl cert trainwreck

Xon Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Xon Active Member

.