
Apple's response to the WoSign incidents - abritishguy
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/lWJ1zdUJPLI
======
vtlynch
Couple notes for people less familiar with the Internet PKI/CA industry:

1\. WoSign (who also owns StartCom) violated all sorts of industry standards.
The worst of them was circumventing the SHA-1 deprecation by backdating an SSL
certificate.

2\. Now all the root programs (Mozilla, Apple, Microsoft, and Google) need to
decide how they will react to this.

3\. Mozilla proposed dis-trusting all new WoSign/StartCom certificates and
giving them a chance to re-apply as a trusted CA in a year. This is only their
proposed action, and they have not totally committed to it.

4\. Apple has now said they will take similar action to Mozilla. Apple will
block a specific intermediate certificate: "WoSign CA Free SSL Certificate G2"

But they will continue to "trust individual existing certificates" if they had
been published to Certificate Transparency logs by September 19th.

While I have not personally confirmed this, my understanding is that there are
other Wosign certificates that are trusted on Apple via cross-signing. So this
seems like an incomplete solution - in the sense that some WoSign certificates
(mainly the commercial certificates they sell, vs the ones they give away for
free) will remain unaffected in anyway.

(Someone more familiar with the specifics of the Apple root store may be able
to provide more clarity here)

5\. Google and Microsoft have not yet committed to any action yet. Google will
certainly make a detailed public announcement when they are ready.

6\. Mozilla is meeting with QiHoo (a chinese tech company which owns a
majority stake in WoSign). It is expected that Mozilla will make a final
decision following this meeting.

~~~
JohnTHaller
For those who may not remember or may not have heard, QiHoo is the company
behind the most popular scam browsers in the world: Qihoo 360 Secure. It was
one of the most popular browsers in China with 28% of the market a few years
ago. It used an IE logo colored green, force-uninstalled competing browsers by
claiming they were unsafe, made uninstallation so difficult you'd often have
to re-image the machine, breaks SSL, can expose user passwords, etc.

Remember, this is a "security" company.

It's rather fascinating:
[https://webdesign.tutsplus.com/articles/qihoo-360-secure-
the...](https://webdesign.tutsplus.com/articles/qihoo-360-secure-the-most-
popular-browser-youve-never-heard-of--cms-24074)

Personally, I wouldn't trust anything this "security" company is connected
with anywhere need my devices, software, or business.

~~~
jedberg
And yet, unless you go through the effort of removing every trusted CA from
your browser, you implicitly trust them because Mozilla/Google/etc. do.

And thus why the CA system is broken in a nutshell.

~~~
mixedCase
>And thus why the CA system is broken in a nutshell.

I wouldn't call it broken. From what I see on Linux and Windows, Chrom[e|ium]
relies on the system's trusted certificates. You always have the last says on
who's in and who's out.

EDIT: Just checked, the Chromium-specific trusted CAs can be revoked through
its configuration interface, doesn't just rely on system certs. Important
detail, but still, user has the last word.

------
TazeTSchnitzel
Previously on HN, Mozilla's response to WoSign (also a good summary of what
they'd done wrong):
[https://news.ycombinator.com/item?id=12582534](https://news.ycombinator.com/item?id=12582534)

------
mrweasel
That should serve as a clear warning to other certificate authorities. Behave
or you will be ruined. For most CAs having either Apple, Mozilla, Microsoft or
Google remove your root certificate will drive customers away to the point
where you might as well close up shop.

~~~
glasz
nobody has been ruined just yet. and when i look at how sheepishly slow
mozilla reacts my guess is nobody will ever really get thrown out of that
club.

what they've done is clear. it's been misconduct as a ca. untrust them. done.
fuck you.

~~~
oasisbob
Representatives of Google, Apple, and Mozilla have all dismissed the
suitability of a fast reactionary nuclear approach.

There are plenty of innocent sites who use WoSign/Startcom certificates.

It's easy to be flippant when you're not actually responsible for a browser
which users use, and need to worry about adverse side-effects. You kill WoSign
overnight and you now have millions of users habituated to ignoring TLS
errors, and now know how to override internal browser security settings.

Hope it was worth it.

------
l2dy
I came across this: [https://support.apple.com/en-
us/HT204132](https://support.apple.com/en-us/HT204132) earlier today.

------
byuu
Sorry if this is obvious to others, but just to be clear ...

As it's widely reported that WoSign has taken over StartCom's infrastructure,
this implies that StartCom StartSSL Free certificates going forward won't be
trusted by Apple either, correct?

It also sounds a little strange to only call out the free certificates. Are
they going to allow new paid OV/EV (and what they call 'IV') certificates to
remain valid?

~~~
oasisbob
My read on the announcement is that they won't be taking action against the
StartCom CA & intermediates at this time.

The WoSign existing-certs exemption probably involves a whitelist they're
shipping along with the OS. A lot of the feasibility discussions on this
approach have centered on the size of the required whitelist [1]. Taking the
same approach with StartCom may not be possible due to the scale. Also,
StartCom certificates don't have the same coverage in the Certificate
Transparency logs - so the certificate dating is problematic.

Hmmm, thinking about this now, if I were Wosign, I would be having a fire sale
on StartCom. Selling the brand immediately (maybe to an existing competent CA)
and asking the trust store operators for understanding (probably conditioned
on full CT reporting) might be a way to recoup some losses out of all this
mess.

Representatives of Qihoo 360, StartCom, and Mozilla are meeting in London next
week. I'm very curious what they will be discussing. [2]

[1]
[https://groups.google.com/d/msg/mozilla.dev.security.policy/...](https://groups.google.com/d/msg/mozilla.dev.security.policy/O_oCZafjfF4/fiOUpeeEEAAJ)
[2]
[https://groups.google.com/d/msg/mozilla.dev.security.policy/...](https://groups.google.com/d/msg/mozilla.dev.security.policy/1XI3Y7PJ1Uc/exSBjnFzFQAJ)

------
oneplane
Seems like a sensible response. I do wonder how they will know what
certificates are currently signed by WoSign, as they stated that individual
certificates will still be trusted somehow.

~~~
vtlynch
Apple will continue to trust existing certs from WoSign (provided they are CT
logged). New certs will not be trusted.

mac OS will make this decision by first looking at signatures. It will receive
the "end-entity" certificate (a cert for a specific site, like example.com)
and while checking the chain, will see that there is a signature from the
"WoSign CA Free SSL Certificate G2 intermediate CA" certificate.

It will then look at the "notBefore" date listed in the certificate, which
tells you when the certificate was issued. If it is a new certificate, it will
not be trusted.

If the certificate is preexisting (presumably issued before 9/19/16) it will
be trusted ONLY if the certificate is CT logged. It will know if this is the
case by looking for an SCT belonging to that certificate. The SCT will either
be embedded directly in the certificate, or provided with the certificate
during the SSL handshake (this is known as "stapling").

~~~
xnyhps
> If the certificate is preexisting (presumably issued before 9/19/16) it will
> be trusted ONLY if the certificate is CT logged. It will know if this is the
> case by looking for an SCT belonging to that certificate. The SCT will
> either be embedded directly in the certificate, or provided with the
> certificate during the SSL handshake (this is known as "stapling").

I doubt they'll do it this way. WoSign has only been embedding SCTs for all
certificates since July and I wouldn't count on many webservers implementing
SCT stapling. I expect Apple to ship a whitelist of hashes of certs that
should be trusted instead.

------
fowl2
Interesting that Apple's root program is effectively anonymous– sent from a
group alias and signed off as a program.

------
Animats
The John Ringo approach, from "Citadel". A Chinese supplier cut corners on the
gold plating of a contact and caused a major accident. The response:

 _" The supplier, Qua Tang Electronics, is blacklisted. Find every person
associated, every member of the board, every senior officer, and blacklist any
company they are associated with as well. With something like this, and the
Chinese, there is no overkill. Be wildly unaimed in your fire. Nuke first, ask
questions afterward. Make the pain as widespread as possible."_

