
The story of how WoSign gave me an SSL certificate for GitHub - schrauger
https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-certificate-for-github-com
======
0x0
Their policy page at
[http://www.wosign.com/policy/](http://www.wosign.com/policy/) currently
renders backend source code in plain text...

~~~
cpeterso
And it's VBScript!

    
    
      <% Dim strAcceptLanguage strAcceptLanguage=Request.ServerVariables("HTTP_ACCEPT_LANGUAGE")
      'response.write strAcceptLanguage if instr(strAcceptLanguage,"zh")>0 then
      Response.Redirect "cps.htm" else Response.Redirect "cps_e.htm" end if %>

~~~
contingencies
So much of China runs on Windows scripting it's horrific. That is changing,
but slowly.

------
est
So OP mentioned a question posted to stackexchange, clicked link, expected
closed.

[https://security.stackexchange.com/questions/91292/](https://security.stackexchange.com/questions/91292/)

LOL good ol' stackexchange, closed as duplicate.

~~~
schrauger
Yeah, I still think it shouldn't be considered a duplicate. Especially since
going directly to WoSign didn't end up solving the overall problem, which is
what the linked duplicate question says to do.

------
daxelrod
This is great additional detail on the WoSign fiasco. Also discussed yesterday
here:
[https://news.ycombinator.com/item?id=12389573](https://news.ycombinator.com/item?id=12389573)

------
ryanmarsh
Stuff like this is depressing. Are we ever going to have any semblance of
privacy and security on the Internet?

Everyone has been hacked, political figures, governments, businesses. In 100
years I think people are going to look back on this time and think we were all
crazy like how we see safety in the early auto industry.

~~~
Hondor
The early auto industry? They'll likely think we're crazy looking at our
current auto industry. Who doesn't know anyone who was killed or seriously
injured in a car crash?

~~~
MichaelGG
How much of that is avoidable though? You still have people zooming around in
big metal/composite boxes. There's only so much that can be done, especially
given the culture around cars.

------
jeff_marshall
from the article:

>Domain validation is hard. It isn't as simple as one may think, and WoSign
isn't the first to have a problem. They are still a trusted CA for now, and
hopefully they will get their act together quickly.

The vulnerability exposed seems like a basic unit test to me (only assume
ownership of validated domains or sub-domains - NOT all domains with a common
root (or perhaps substring? the article is sparse on details)).

I had already lost faith in the 'everyone can be a root if they describe their
process' model of trust before reading this post, but if software vendors that
rely on trust anchors on their users behalf can't be bothered to do even basic
due dilligence beyond vendor-sponsered audits, I'm left speachless.

Perhaps my experience with FIPS-140 has jaded me, but after seeing so much
more money spent on paper-pushing than actual vulnerability assesment (and
remediation), I can't help but feel lost after reading this.

------
anilgulecha
This is nuts.

The only long term solution here is a distributed decentralized DNS service.
When there's "default-trust" at some locations (browser CAs), There's weak-
points in the security chain.

What are the best available dDNS solutions. Ideally these are initially
backward compatible with redular DNS to help adoption, and then just disregard
CAs.

~~~
anilgulecha
Oh and browser vendors, distrust WoSign now!

Imagine your regular developer performing a npm install which pulls in code
from a compromised MITMed github URL. That's straightforward rootkit compile
and install access!

~~~
thesimon
>Oh and browser vendors, distrust WoSign now!

It's not like a lot happened to other authorities (a few pinky-promises)

------
hughw
The root cert for www.schrauger.com is StartCom Certificate Authority. Isn't
it their (StartCom's) responsibility to make sure the owner of Certification
Authority of WoSign (the next cert in the chain) is acting in accord with some
terms and conditions? Secondly, should the browser vendors remove StartCom CA
as a trusted root? Do they not do that because all the StsrtSSL sites would
break? Fine with me, personally.

[Edited to clarify who "their" meant]

~~~
schrauger
WoSign is included as a root certificate. When they first started, they
weren't in all browser stores, so StartCom cross-signed their root
certificate.

That way, WoSign could create certificates while they waited for browsers to
update with their root certificate. It also helps for legacy/embedded systems
that don't get updates, since StartCom has existed far longer. Due to the
cross-sign, all WoSign certificates are still compatible.

~~~
hughw
OK thanks. Doesn't StartCom bear responsibility for the behavior of the entity
they cross-signed for?

~~~
Redoubts
Supposedly they were bought by WoSign

[http://letsphish.clonezone.link/part1](http://letsphish.clonezone.link/part1)

I say supposedly because this is an archive of the original domain

[https://www.letsphish.org/](https://www.letsphish.org/)

which now says

    
    
      > September 1, 2016:
      > I'm currently going under legal review of the site.
      > Content will not be available during this period.

------
VMG
What's that best way to disable the WoSign cert on Arch Linux?

~~~
nmc
The GUI way:
[https://wiki.mozilla.org/CA:UserCertDB#Deleting_a_Root_Certi...](https://wiki.mozilla.org/CA:UserCertDB#Deleting_a_Root_Certificate)

The CLI way:
[http://unix.stackexchange.com/a/285831](http://unix.stackexchange.com/a/285831)

~~~
VMG
Thanks! I hoped it wasn't a per-browser procedure, doesn't seem to work for
chrome :/

Edit: chrome(ium) has a cert manager under "settings" that allows editing
certificate trust levels

