
WoSign and StartCom: Mozilla’s proposed conclusion - aestetix
https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/preview
======
tux3
>We also hope the public can see that when there are allegations of CA
wrongdoing, Mozilla is committed to a fair, transparent and thorough
investigation of the facts of each case.

I'm very happy to see the way Mozilla handled this incident, both with the
process and the conclusion. I have a moderate trust in the CA ecosystem as a
whole, but I'm glad to see that overwhelming incompetence, if not outright
maliciousness, does have consequences even to big CAs.

At first though the proposed one year timeout can seem a little short given
the impressive list of reported issues, but the conditions given for re-
acceptance are strict enough that passing could only indicate a radical change
in methodology, at which point it would only make good sense to consider a re-
inclusion.

In fact if every CA could take a full code security audit and provide complete
certificate transparency in the manner proposed, I think we would have reason
to feel marginally safer on the Internet.

~~~
vtlynch
>In fact if every CA could take a full code security audit and provide
complete certificate transparency in the manner proposed

Given the risks that screwups have to their business, I would think CAs would
VOLUNTARILY do this.

~~~
imglorp
Giggle.

Look at Diebold's numerous malfeasance issues in ATM and voting industries. If
anything, they have much more to lose by voluntary audit.

Unsavory CA's might well be in the same position.

~~~
vtlynch
Can you elaborate? I am not familiar with the specifics of Diebold's problems
and how a voluntary audit (which they could choose to keep private and use for
internal assessment) would hurt them more than not knowing the risks.

------
no_protocol
A clear and detailed report. The conclusion seems both transparent and fair.
It would be very difficult for many customers of StartCom/WoSign if they were
immediately revoked. Hopefully this news spreads far enough that the
reputation of StartCom/WoSign will generally include this information.

I am saving this as a reference in the event I ever need to write a technical
report. This style is so much easier to read than a typical "official" report
from police, the FBI, or similar organizations.

I don't have any StartCom or WoSign certificates right now, but I did in the
past. It was nice to be able to get a certificate that browsers accepted,
without needing to pay for it. I'm glad the landscape has changed.

~~~
TorKlingberg
Yes, we are very fortunate to have Let's Encrypt now.

~~~
justinclift
One problem - at least for the project I'm working on - is that Lets Encrypt
isn't a replacement for all of StartCom.

We use a StartCom "MS Authenticode" certificate to sign our releases, so
Windows users don't get a warning message from the various anti-malware
scanners (and similar).

At first glance it sounds like Mozilla not accepting new StartCom cert's at
some point won't affect that. It may snowball, but that's an unknown. o_O

~~~
edwinyzh
Same here, I've just recently obtained a "Class 2 Code Signing" certificate
from StarCom for digital sign my Windows software - as a individual software
developer from China, I don't even have alternative options - I tried
purchasing from Comodo, but unfortunately there process for checking
individuals from out out of the US is extremely difficult.

So I wish this would not affect the certificates StarCom issued for code
signing.

~~~
vsl
I use (reasonably cheap, using MSDN discount) DigiCert one, and I'm an
individual living outside US. Very little hassle involved.

~~~
edwinyzh
Thanks for the info, will DigiCert once the startcom code singing cert. is no
longer relevant on Windows :;

------
koolba
I like this part at the end:

> In addition, Mozilla will:

> add all of the Macau certificates to OneCRL immediately;

> and no longer accept audits carried out by Ernst & Young (Hong Kong).

If you don't hold the auditors responsible, this will happen again. If you do
hold the auditors responsible, you might prevent some of this.

------
pquerna
While most of the doc focused on StartCom/WoSign, I thought this bit at the
end was interesting:

> no longer accept audits carried out by Ernst & Young (Hong Kong).

To reject audits from E&Y.... It makes me wonder about the transparency and
trust we put in the auditors as being a key part of CA validation process.

~~~
chillydawg
Auditors and ratings agencies and their ilk are a fundamentally broken service
in our society. On the one hand they have to make money and on the other they
have to be honest. The two are simply not compatible, seemingly. Eg: ratings
agencies happily giving top tier ratings to mortgages back in pre 2008.

~~~
pquerna
Completely Agree!

When you think down this path, its why Certificate Transparency Logs make even
more sense -- Yes, its still ideal that a CA operates in a "good" way, but
using the Cert Logs you know everything they have signed, so a rouge actor has
a limited ability to sign something they shouldn't, and as seen by Mozilla's
document, they used the Cert Transparency logs as part of their evidence.

------
tptacek
Mozilla and Chrome are killing StartCom. This is huge, isn't it? StartCom is
one of the more popular CAs.

 _Later:_

Additional fun fact: there's a decent-sized subthread on the mailing list in
which it's strongly suggested that WoSign is itself quietly owned by Qihoo360,
a much larger company --- somewhat like the Symantec of China.

More specifically:

[https://twitter.com/pzb/status/780456712562024448](https://twitter.com/pzb/status/780456712562024448)

~~~
daenney
They're not "killing" anyone. They have reasonable doubt that the CA has
misrepresented the truth and engaged in practices that violate the rules set
forth by the CAB and those for inclusion in the Mozilla trust store. There
will have to be consequences for else it means nothing.

They're also very clear that they do not intend to invalidate any already
issued certificates, only new ones after a specific, yet to be decided, date
and that they remain open to re-inclusion after the year's time-out and
passing the normal inclusion tests. However, they rightfully set forth a
requirement for some audits to take place by Mozilla appointed parties. For
this I'm particularly thankful as if the auditors are allowed to keep doing
this kind of hodge-bodge botch job the already strained trust in CA's is
further weakened.

~~~
azernik
They're absolutely killing WoSign/Startcom. It's totally justified, but it's
what they're doing.

~~~
r00fus
WoSign/Startcom signed their own "death warrant" by engaging in fraud.

I only wish death sentences for companies participating in blatantly
fraudulent activities would be issued more regularly by regulatory agencies.

------
ylere
Well shit. I always liked StarCom because of their approach to charge for
verification (with increasing costs for each higher trust level) but not for
issuing certs (while still manually checking every cert request, at least for
any OV&EV cert in my case). This entire WoSign acquisition is incredibly
shady. Shortly after that some of the customer reps had chinese names, service
quality declined and we got offered to become an "Intermediate CA" (StartPKI)
for 10k$/yr.

What is the best alternative CA that also offers wildcard certificates
(preferably with a similar business model)?

~~~
finnn
What use case do you have for wildcards that you can't use Let's Encrypt or
similar automated issuance? Just curious, as I've yet to hear a terribly
compelling one...

~~~
dlgeek
Not the parent, but wildcard certs are necessary for compatibility with
clients that don't support SNI (ex: IE on WinXP)

~~~
xorcist
No. You could also issue SubjectAltName certificates. Works fine with XP.

------
Negitivefrags
I'm not going to defend WoSign/StartCom's shady tactics, but the way the
deprecation of SHA1 was performed puts people in a pretty shitty position.

You can't support Windows XP users who use IE anymore with HTTPs.

In the western world, that number is very small. It's around 1% still using XP
and most of those people are probably not using IE anymore.

In china though, that number is still >5%, and I got that number personally
from the metrics of a game that we just deployed an alpha for in China. I
would bet that given the way the alpha test keys were handed out that the
amount of Windows XP users in the general population is probably much much
higher.

So what is the response if you can't support a significant portion of your
user base? Well for a bunch of chinese websites the result is _don 't use
HTTPS at all_. We have seen advice that "HTTPS cases problems for users in
China so we think it's a bad idea to use it". It's not a good situation.

~~~
jvehent
> You can't support Windows XP users who use IE anymore with HTTPs.

Sure you can. Just ask a CA that has an old root trusted by XP but no longer
trusted by modern browsers, and they'll issue a SHA-1 cert for you without
risking to get kicked out of the truststores.

~~~
Negitivefrags
And what about all the modern browsers you also need to support?

~~~
pfg
It's possible to determine whether a client supports certificates using SHA-2
by analyzing the ClientHello and use that to switch between a SHA-1 and SHA-2
certificate. CloudFlare[1] and some of the bigger sites like Facebook have
done this.

[1]: [https://blog.cloudflare.com/sha-1-deprecation-no-browser-
lef...](https://blog.cloudflare.com/sha-1-deprecation-no-browser-left-behind/)

~~~
prdonahue
And here's the technical detail of how we do it:
[https://blog.cloudflare.com/tls-certificate-optimization-
tec...](https://blog.cloudflare.com/tls-certificate-optimization-technical-
details/).

~~~
Negitivefrags
Is there actually an open source implementation of this though?

I've looked, but never found one, though that was quite some time ago. Perhaps
things have changed.

This approach is beyond the ability of most to implement for themselves if
they don't have support from their webserver for it.

~~~
jvehent
You can do it with HAProxy by checking for SNI and falling back to a SHA1 cert
when the extension is absent.
[https://jve.linuxwall.info/blog/index.php?post/2015/10/04/SH...](https://jve.linuxwall.info/blog/index.php?post/2015/10/04/SHA1/SHA256-certificate-
switching-with-HAProxy)

------
stonogo
Now that StartSSL is effectively deceased, is there a commercial CA that
supports the ACME protocol? Or is the ACME protocol a vanity project unique to
Let's Encrypt?

I manage several dozen certificates; I was very pleased when StartSSL offered
an automated API to work with. Despite their flaws, they offered EV certs,
wildcards, and automated one-shots, and it was very convenient.

I'd gladly pay for this functionality, preferably while supporting standards-
based ACME functionality... but so far it seems Let's Encrypt is the only one
playing that game, and their featureset is crap for anything but their very
narrow use case.

Any advice, HN?

~~~
agwa
I'm the founder of SSLMate, which resells Comodo and GeoTrust certs with an
automated, ACME-like API: [https://sslmate.com](https://sslmate.com)

Our API predates ACME, but we'll most likely be implementing ACME once it's
finalized.

~~~
scrollaway
What's your take on the Comodo trademark claim on Let's Encrypt, and all the
BS that ensued?

[https://news.ycombinator.com/item?id=11964583](https://news.ycombinator.com/item?id=11964583)

I personally immediately replaced all of my and my company's comodo
certificates with DigiCert ones.

~~~
agwa
The incident was terrible, but it is not a reflection on how their CA is run.
They run a trustworthy CA and employ some really awesome and competent people
(e.g. Rob Stradling) who actively contribute to improving the Web PKI, such as
by (co-)authoring the CAA, Must-Staple, and Certificate Transparency
standards. They run [https://crt.sh](https://crt.sh), which is an invaluable
resource for investigating Web PKI problems (the Mozilla report and associated
mailing list threads are peppered with crt.sh links). If their trademark
filings had amounted to actual legal threats against Let's Encrypt I would
hesitate to send them business, but it seems more like their CEO is just a
giant blowhard. The good they do makes up for it.

In contrast, I'm much more appalled by Symantec/GeoTrust's misdeeds (e.g.
issuing unauthorized "test" certificates for google.com, badly botching the
SHA-1 deprecation, cross-signing the US Federal PKI). I think Symantec is
incompetent and contributes negatively to the Web PKI. I no longer issue their
certificates by default, and am going to replace them with a different CA.

~~~
scrollaway
Thanks for the insight!

------
geofft
This is a very detailed investigation - the parts that appear to be new are
the specific serial number patterns, the times/dates of manual issuance, and
the case of the Tyro SHA-1 cert.

It's a little unfortunate that Mozilla's option here is to rely on WoSign and
StartCom continuing to be honest about notBefore, or really, on Google
detecting further abuse of notBefore via Certificate Transparency. Mozilla
should really be participating in CT themselves so they have more options
here. Is there anything the community can do to help (e.g., run more log
servers)?

~~~
xnyhps
> Google detecting further abuse of notBefore via Certificate Transparency

You don't need to rely on Google. All certs issued by WoSign since January
1st, 2015 should be on WoSign's own Certificate Transparency log from which
you can download them. StartCom is logging all new certs too, but I don't know
for sure if they pushed all older ones too. If you ever encounter a cert that
isn't on the list, that's definitive proof that they are backdating again.

The list of certificates is too large for Mozilla to include a list of hashes
in Firefox, but it might be a nice opportunity for a Firefox add-on.

~~~
dspillett
_> You don't need to rely on Google ... should be on WoSign's own Certificate
Transparency log which you can download_

Given that the behaviours being documented include falsifying data (backdating
certificates to get around SHA1 retirement), I would prefer to at least use
information from Google (or another third party) for the purpose of
verification, rather than just relying on information sourced from
WoSign/StartCom.

~~~
xnyhps
They can't backdate their Certificate Transparency log without leaving
cryptographic evidence behind. That's how CT is designed to work.

Of course, simply being in the log doesn't imply the cert was issued
correctly, but the logs have been posted for a couple of months now and have
received a lot of scrutiny during Mozilla's investigation. But the same is
true for Google's log, presence in that log is also no guarantee that it was
issued correctly.

------
shawkinaw
Goddammit. I really liked StartCom for free S/MIME certificates and TLS certs
that don't expire after a month.

So people, is there a comparable free product out there (don't say
LetsEncrypt, they don't do S/MIME unless I'm mistaken)?

~~~
tptacek
Why are you using S/MIME?

You can still get free S/MIME certs from Comodo.

~~~
carsonreinke
What is wrong with S/MIME?

~~~
TD-Linux
It has less users than PGP/MIME, which is an impressive feat.

~~~
tgsovlerkhgsel
Since many major clients support it out of the box, I'd say that at least for
verification purposes, it has more users than PGP/MIME.

------
nandhp
I'd be interested to know what the plans are from other vendors (Microsoft,
Google, Apple, ...); can we expect them to follow Mozilla's lead in taking
action against WoSign?

~~~
RJIb8RBYxzAMX9u
When the story first broke, I manually untrusted WoSign's and StartCom's root
certificates in OS X, instead of deleting them outright...at least I thought I
did. I upgraded to macOS 10.12 Sierra this past weekend, and repeated the
process. Except WoSign's certificates aren't there to begin with, though
StartCom's still are. So perhaps Apple had dropped WoSign already? Would
anyone else running 10.12 verify?

~~~
pfg
IIRC WoSign was never in Apple's trust store in the first place; their trust
status came from StartCom cross-signing their certificates.

(Not sure if cached intermediate certificates get added to the keychain -
maybe that's what you saw previously?)

~~~
alpb
I can say +1. WoSign has never been in OS X trust chain as I hit this issue
once before and had to install it myself manually. You can search about WoSign
and OS X on Google and you will see that it was never there. If you found it
in your trust store in the first place, there must be some shady business
going on in your Mac. Also similar comments in this other HN thread:
[https://news.ycombinator.com/item?id=12389573](https://news.ycombinator.com/item?id=12389573)

------
driverdan
TL;DR:

> Taking into account all the issues listed above, Mozilla’s CA team has lost
> confidence in the ability of WoSign/StartCom to faithfully and competently
> discharge the functions of a CA. Therefore we propose that, starting on a
> date to be determined in the near future, Mozilla products will no longer
> trust newly-issued certificates issued by either of these two CA brands.

I recommend reading the whole thing if you have time. They used some shady
tactics.

------
hart_russell
A 1 year suspension and continued trust of previously signed certificates?

Sounds very generous to me.

~~~
tptacek
How many companies can survive a year without revenue? None I've ever worked
at. Not only that, but their readmission after that year is uncertain! Mozilla
gets to pick an auditor ( _raises hand! pick me!_ ) that gets full access to
their code. This is, I think, a higher bar than a new CA would have to clear.

StartCom is a popular CA. Distrusting previously-issued certificates would be
extremely disruptive. Moreover, it would primarily punish StartCom's
customers, and not WoSign, which as a business is primarily concerned with
forward revenue.

You see this as leniency, but I see it as a powerful step forward. The
browsers and CAs had previously been locked in a Mexican Standoff, with
abusive CAs fully aware of the leverage their userbases offered them.

~~~
bcg1
Not only is it a year without revenue... I imagine this will devastate their
revenues in future years as existing customers up for renewal during that time
will likely permanently migrate to another CA.

~~~
tptacek
It looks like Mozilla and Google have created a set of circumstances where the
rational next step would be to wind down WoSign/Startcom and just start a new
company.

~~~
jvehent
Which would require creating new roots to be submitted to Mozilla's CA
program, and passing the bar for inclusion of a new CA.

That's a multi-year process, unless they can get another CA to cross-sign
their root, like LE did. I doubt other CAs will be willing to carry that level
of risk given the reputation of WoSign/StartCom.

------
gregmac
I think this is very well handled on the part of Mozilla, especially with
respect to existing customers.

What's missing, which admittedly is not Mozilla's job, is to inform any
existing customers that will have to renew during the time WoSign and StartCom
are suspended. If they just get an invoice and pay it or are set-up with auto-
renew, they'll unknowingly get certificates that aren't valid for the
remainder of the suspension (or indefinitely, if WoSign/StartCom if violates
Mozilla's requirements).

------
byuu
Wow, this would be devastating if they actually went through with revoking
their root certificate.

StartCom is (well, _was_ ) the _only_ competition to Let's Encrypt in the free
certificate space. It is far and away the cheapest _direct_ provider of
wildcard certificates (which are impossible to get for free), unless you move
into reseller territory. And even their free certificates last four times as
long, and don't require the use of certbot.

Certainly, Let's Encrypt works great for a lot of peoples' needs. But for
those it doesn't (and there's more of them than you might think), this is
_seriously_ bad news.

It's easy to get onboard wanting to punish WoSign/StartCom here, but keep in
mind that this has the potential to screw over all of their innocent customers
as well. (Future customers with the first action; all customers if the second
action comes to pass and they revoke the root CA.) And screwing them could
likely mean they abandon HTTPS completely instead.

Note that I am _not_ advocating for Mozilla to give them a pass; far from it.
If anything, this is just one more indictment on the long list of reasons why
the entire CA system is completely broken.

I actually just recently purchased a certificate, and had my choices narrowed
down to StartSSL or AlphaSSL. I am _really_ glad I went with the latter right
about now. I can't tell you how absolutely livid I would become if Mozilla
ended up revoking my root CA after dropping over $100 on my certificate.

~~~
yrro
Surely you could have demanded a refund if you had chosen StartSSL and they
sold you what turned out to be a defective product?

~~~
inimino
Good luck collecting after the company's potential future revenue has been
erased.

~~~
byuu
Best recourse would be a credit card chargeback. If Paypal, probably a
writeoff.

The trickier part is, it's unknown whether StartCom will backdate more
certificates, triggering Mozilla to block them entirely. That could happen
well after the window where you're allowed to request a chargeback. Although I
do believe it's _extremely_ unlikely that they will. Unless Google and
Microsoft follow suit, such an action is just as likely to damage Mozilla as
it is to damage StartCom. People who just want to access websites will not
bother to understand the reason why suddenly only Firefox is refusing to let
them view their pages.

------
joseignaciorc
Just curiosity: since this report is a Google Doc, how can one know that it
has been really written by Mozilla?

Shouldn't it be under the mozilla.org domain?

~~~
bratch
Being hosted where it is is particularly annoying because you can't view it
unless you accept cookies from google.com.

A JavaScript redirect takes you straight to
[https://support.google.com/accounts/answer/32050](https://support.google.com/accounts/answer/32050).

------
Angostura
I'm going to make a donation to Mozilla for this. Top work of public value.

------
crazypyro
Completely and utterly fail your job, lie about it and use deceiving tactics?

And all they are getting is a 1 year suspension and none of the certificates
are becoming untrusted. The auditors got a bigger punishment by being banned
completely from Mozilla's trusted auditors.

Should just revoke them completely. Such incompetence and/or malice should not
be allowed on such a crucial piece of infrastructure.

~~~
geofft
Revoking them completely would be a pain for end users of StartCom and WoSign
certificates, who had no way to know that their CA was incompetent and/or
malicious. But this is a great way to choke out their business by the end of a
year, since they can't sell any new products.

Of course, it might be nice to actually revoke them so that in the future,
"will my CA be revoked" is a realistic thing to think about when choosing a
certificate seller. But revocation hurts other people (website owners and
visitors) more than the CA, and it doesn't seem totally obvious that it's
worth it.

~~~
wyager
Who cares if it's a pain? User security is vastly more important than saving
companies from the mild inconvenience of changing certs.

~~~
daenney
You forget things like certificate pinning which can make sites inaccessible
for long durations of time if the user doesn't visit said website during this
transition period.

I'm not super convinced about the user security argument either. Sure, they
backdated SHA-1 certificates and that's nasty but those certificates still
expire at a reasonable time in the near future and will soon enough not be
accepted by browsers at all or show up with scary UI warnings. That said I
don't agree or condone what they did.

~~~
makomk
Mozilla and the other browser developers' position seems to be that issuing
SHA-1 certificates when they've said SHA-1 certificates should not be issued
is a cardinal sin - never mind that this would break payments infrastructure.
They eventually agreed to an exception process _after_ Tyro's payments systems
would presumably have stopped working if WoSign hadn't issued them a
certificate.

~~~
jcranmer
The SHA-1 deprecation wasn't a secret: it was decided back in October, 2014.
In February 2016, one provider basically said "oops, we screwed up, how can we
get a SHA-1 certificate?", whereupon the answer was a one-off exception that
would be notated as "yes, Symantec violated the rules, but everyone agreed to
let this exception go through." This exception was converted into a more
formal exceptions approval in June.

Tyro's certificate would have expired on June 9, 2016 if I'm reading the
timeline right. There is nothing that would have prevented them from doing
what WorldPay did and approach the CAB themselves, or become vigorously
involved in the ongoing discussion (the proposal document for the process was
made June 3, 2016).

On the other hand, as the IT mantra goes, failure to plan on your part does
not constitute an emergency to plan on my part. The evidence is that Tyro
updated its certs at the last minute, found that they couldn't get the SHA-1
they needed, and basically shopped around until they found someone who gave it
to them (while lying about it!), instead of, say, making sure to request a
certificate in late December to maximum the transition time available.

The great sin is not so much that they issued the SHA-1 certificate, but that
they agreed not to do it, and when someone needed one, rather than bring it up
with the CAB Forum, they issued one and lied about their compliance. The
REALLY great sin is that they appear to have built an entire system to do the
backdating, rather than applying one-offs.

Browsers can forgive CAs when they fess up to their mistakes. It's when they
lie about them that they get really pissed off.

------
lionradio
I think Mozilla is falling for Symantecs / other CAs propaganda here. Yes,
WoSign did bad things, but those are by far not the worst things we've seen in
CA wrongdoings in the last years. We've seen certs issued for MITM attacks and
security holes in the validation process of nearly every CA.
([http://www.theregister.co.uk/2012/02/14/trustwave_analysis/](http://www.theregister.co.uk/2012/02/14/trustwave_analysis/))
< they confessed issuing a cert for MITM purpose and are still part of the
game. The allegations mainly consist of: a) WoSign didn't make transparent
that they have control over StartCom. Yes, this is a thing and it should be
discussed. But the main focus of this is obviously to get StartCom into this
story. Where - as I understood it - there is no allegation, that StartCom
itself did something wrong. At least not in the league of "we should kill that
company". Transparency is important and we should fight for it. Not only in
China. b) They backdated SHA-1 certs. Obviously because not updated Windows XP
machines are a thing in China. This is against code of conduct. This is bad,
but I totally get the intention here. And the intention is not MITM attacks or
worse (as we see a lot in CA business) the intention is not to break Chinese
internet.

Bottom line: "Let's encrypt" is destroying the business of many shady CAs
these days. Competition is getting harder. StartCom had an advance in this
race as they adopted quickly to the new rules and the've build the best
product in the market for special use cases. We - for example - rely on a lot
of wildcard certs for many domains. StartCom had the product. We pay'd them
$200 for all our certs and the next cheapest competitor wanted $150.000 / year
for our certs. I totally get why they are getting attacked by the big players.
I totally don't get why Mozilla is falling for this.

~~~
pfg
There were a number of other issues that came up during this investigation
that showed that they should not be running a CA[1]. For example, they issued
certificates to anyone able to control a unprivileged port (> 1024) behind a
domain. They issued certificates for "root domains" to anyone able to verify
control of a subdomain. When StartCom launched their issuance API, it was
taken down within a matter of days due to some pretty obvious holes.

The biggest problem with the SHA-1 issuance is that they - as the report shows
- blatantly lied about how this played out during the investigation and did
not even attempt to go through the proper channels to get an exception from
browser vendors (which other CAs did). Additionally, issuing a SHA-1
certificate to a payment processor that failed to upgrade their systems in
time cannot be explained by China having a large number of XP <= SP2 users.
That's just an excuse.

Regarding the TrustWave incident a few years back, it's important to
understand that this happened when the rules for CAs were not quite as clear
as they are now. I think this happened just around the time when the Baseline
Requirements were written and were not yet in effect, and various browser
policies were not as clear as they could've been about this use-case. Four
years later, I have no doubts that a CA who'd give out the private key of a
non-constrained CA certificate to a non-audited third-party would lose their
trust status within a matter of days.

[1]:
[https://wiki.mozilla.org/CA:WoSign_Issues](https://wiki.mozilla.org/CA:WoSign_Issues)

~~~
Crosseye_Jack
> issuing a SHA-1 certificate to a payment processor that failed to upgrade
> their systems in time

Its ok, its just a temp workaround... /s - [https://tyro.com/blog/merchant-
security-is-tyros-priority/](https://tyro.com/blog/merchant-security-is-tyros-
priority/)

Tyro don't say when they got their SHA-1 cert from StartCom but say they
needed this workaround because some of their customers still ran POS software
on old operating systems such as Windows XPSP2 and that "internet security
standards are moving faster than typical small merchants upgrade their
systems."

> "We reached out in good faith to certificate authorities to provide a _few
> months runway_ to resolve this big challenge in a way that had minimal
> impact on merchants."...

To me this would be ringing so many alarm bells, why would my current CA tell
me they can not issue a SHA-1 cert but StartCom say they can? (I believe they
got issued the SHA-1 cert after the cutoff because of the details in the
document Mozilla have supplied and that we are no longer a few months into
2016 so their need for a "few months runway" was way off) Yes it would mean my
customers POS systems would still function but I'm sure as hell would be
asking questions about its issuance.

EDIT: Tyro have removed their StartCom SHA-1 cert from
[https://iclient.tyro.com/](https://iclient.tyro.com/) and its now supplying a
RapidSSL cert issued in May of this year but yesterday they were serving a
StartCom SHA-1 cert on their iclient subdomain.

------
Kovah
As someone who's using StartCom for several years I'm really anxious now. I
may use Let's Encrypt for a few sites but not for all and I also got my email
certificates from StartCom. As far as I know there's no suitable alternative
that does not cost $500+ per year, or does anyone have an advice for me?

~~~
byuu
I hate to say it, but if you need the functionality that Let's Encrypt won't
offer (wildcard certificates, longer validity lengths, not wanting/needing to
run certbot, code signing, etc) ... your best bet is to look for the SSL
resellers.

I'm not going to name the one I used (as I'm not marketing for them), but I
purchased a three-year AlphaSSL wildcard certificate recently for a little
over $110 (for all three years, so less than $40/yr.)

It ... absolutely defies common sense that certificate resellers are a thing;
but indeed it's the very same certificate I'd have gotten had I paid $150/yr
on AlphaSSL's site.

The CA model is just completely broken. But right now, our only choice is to
find the lowest amount of money to be taken for if we want full HTTPS
functionality. And at the moment, that's with the resellers :/

~~~
caf
_It ... absolutely defies common sense that certificate resellers are a thing_

I think that's the kind of thing you should expect in any market where the
cost of serving a new customer is dominated by the marketing & sales costs in
acquiring that customer.

------
bandrami
Nuke it from orbit. The whole idea of PKI is Broken and Wrong and confuses two
different goals.

Here's a fun one I noticed: Wells Fargo and several other banks are CAs. This
is idiotic. The "logic" behind PKI dictates that it's _a third party_
identifying my bank to me. If banks themselves are CAs even that fig leaf
doesn't mean much.

We have known bad actors in the pool of widely accepted CAs, right now.
There's no sense bringing up obscure possibilities of MitMs that _might_
happen absent a CA system: we have bogus certs, in the wild, today. Nuke it
from orbit and teach people to pin certificates.

~~~
geofft
OK, so what do you want to happen starting tomorrow morning?

* All HTTPS sites show up as trusted. Woohoo!

* All HTTPS sites show up as untrusted, people are encouraged to switch to HTTP. Woohoo!

* All HTTPS sites use trust-on-first-use, which means that we have a date and time announced when MITM attacks are particularly effective and will persist for a very long time.

* All HTTPS sites are untrusted, except for those that already have certificate pins hard-coded in the browsers' source, and excluding those that are pinning their CAs (because CAs are Broken and Wrong), which means the only websites you can access are Google's properties via Google's browser. Awesome!

* Replace HTTPS with PGP. Only people who know how to use PGP correctly get to use secure web traffic.

~~~
tedunangst
#3, with HKPK and a transition period covered by CAs, is not entirely
unreasonable and even offers some real advantages. The changeover doesn't need
to take place at the stroke of midnight.

~~~
geofft
You could engineer #3 to work, but the big trouble is that occasionally
someone will reinstall their web server from scratch (on purpose or as part of
disaster recovery), lose the key, and expect not to lose their website
permanently. I have yet to see any organization that deals usefully with
changed SSH keys and communicates them properly instead of "oh yeah, we
changed that, delete it from known_hosts and it'll be fine", and organizations
that use SSH are more likely to know what they're doing than the average
Internet site (in fact I count MIT's CS department as one of the guilty
parties). An internet-wide equivalent of "yeah, just delete example.com from
your known_hosts" is essentially an internet-wide announcement of "yeah, plz
start MITMing example.com".

------
zmmmmm
It's a shame it sounds like there are no legal avenues for penalising the
individuals behind this. Actions like this ought to be criminal. In the end,
if the only penalties are directed at corporations involved it isn't much a of
disincentive to state actors or others with sufficient resources who want to
game the system.

~~~
MaulingMonkey
Individuals? This sounds like a systemic organizational issue. I'm sure we can
drum up a few scapegoats, but I'm not sure if that'll be terribly effective in
fixing the incentives.

Putting _everyone_ involved out of a job and destroying whatever investments
in the company they may have had, on the other hand, puts pressure on
_everyone_ involved to not fuck up next time.

------
Fej
I am both surprised and immeasurably pleased at the sight that "too big to
fail" isn't (yet) reality for CAs.

When it comes to shady shit like this... I would reference the title of
Metallica's first album.

------
johnp_
I remember that there was some talk about double voting (WoSign and StartCom
not being separate entities, but voting with two votes) in the mailing list.
Is there a reason as to why this event hasn't been included in the document?

edit:
[https://groups.google.com/forum/#!topic/mozilla.dev.security...](https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/0pqpLJ_lCJQ)

> "In no case were these the deciding votes."

~~~
pfg
The issue you're describing is a concern for the CA/B Forum, not really all
that relevant for Mozilla/mozilla.dev.security.policy. That being said, the
CA/B Forum seems to be discussing the issue[1].

[1]:
[https://twitter.com/sleevi_/status/780454860676149248](https://twitter.com/sleevi_/status/780454860676149248)

~~~
johnp_
Thank you, though the Qihoo relationship is not what I was referring to.

I actually meant executing two votes in the CA/B Forum. As the connection
between WoSign and StartCom was only incidentally found while investigating
the other issues, I am questioning if there may be more dark sheep in the herd
of CAs... we may just haven't looked hard enough. Do the Audit Requirements
include checking for such relationships?

~~~
pfg
That's in all likelihood the same issue - Qihoo de facto owning two CAs who
currently cast two separate votes in the CA/B Forum. Not sure if it would be a
concern otherwise (i.e. if Qihoo were to own just one CA and not disclose that
fact, I don't think that's relevant for the CA/B Forum, leaving aside the
problem that they're also a member as a browser vendor ...)

I think the voting rules are part of the bylaws (and not the Baseline
Requirements), so I'm not certain if that's something that's looked into
during the audits.

------
ara24
Is there a governing body or regulatory authority which looks over the process
followed by CAs ?

As a fan of firefox, I am happy that as a community, Mozilla has done the
necessary ground work to reach this conclusion. However, as long as PKI
remains a highly profitable business, more and more such events are going to
happen.

I don't think all CAs should be trusted equally. Right now, AFAIK, my browsing
experience is only as secure as the weakest CA. Hopefully, HPKP can put an end
to this.

------
coverband
Shoot, I just renewed two of my domains with the free StartCom certs on
Friday... Even though I'll likely have minimal-to-no impact, I'm still very
disappointed with this.

------
xenophonf
Well, this is as good a week as any to migrate my certificates to Let's
Encrypt. I just need to figure out how to do domain validation.

~~~
compuguy
I stopped using startcom after their response to the heartbleed vulnerability.

~~~
xenophonf
That really should have been my clue.

------
Ruud-v-A
I’m glad that I have been distrusting Startcom on all my devices since early
2014. Time to do the same for Wosign.

------
tomjen3
How can I check if I am using one of their certificates?

------
brongondwana
While I agree that they did the wrong thing and WoSign/StartCom should be
punished for lying, the whole sha-1 deprecation thing is very black and white.
Others have successfully gained "exemptions" to do precisely this, and it's an
interesting question whether it would have been easy for WoSign to get those
same exemptions if they'd just asked. I bet the answer is "possible but not
easy".

Meanwhile:

[http://security.stackexchange.com/questions/86609/this-
is-20...](http://security.stackexchange.com/questions/86609/this-is-2015-has-
sha1-been-exploited-or-cracked-yet)

[https://www.schneier.com/blog/archives/2015/10/sha-1_freesta...](https://www.schneier.com/blog/archives/2015/10/sha-1_freestart.html)

"Freestart collisions, like the one presented here, do not directly imply a
collision for SHA-1"

"this work is an important milestone towards an actual SHA-1 collision"

[https://en.wikipedia.org/wiki/SHA-1](https://en.wikipedia.org/wiki/SHA-1)

"SHA-1 is no longer considered secure against well-funded opponents".

AKA, SHA-1 may not be secure against a nation state or attacker with a ton of
money, but it's secure enough against for almost every site against almost
every attacker. Given the reported 5%+ of Chinese browsers not supporting
newer certs, I can see why customers might want a cert that gives them a lot
more than nothing, though less than best-of-breed.

It's the one-size-fits-all where someone's personal blog needs to have the
same level of security as the apple app store's payment system that leaves
them filling a real market need. They didn't go seeking people wanting SHA1
certs, people wanting SHA1 certs that would still work went seeking someone
who would provide them.

And they went seeking because the alternative is upgrading potentially
millions of dollars worth of embedded kit which doesn't support newer certs,
all to secure one link in a chain in which SHA1 is nowhere near the weakest
link.

So yeah, the CAB chose to inflict a ton of pain and cause still-functioning
hardware to be discarded in order to push a more secure ecosystem on
everybody. Which is great from some perspectives, but it's environmental
vandalism from another perspective, and if it pushes people back to non-HTTPS
traffic for those older pieces of equipment it could cause a short term
worsening of security.

(the deprecation of sha1 that is. The lying by WoSign/StartCom was a
calculated risk in a business where everything is based on trust, and they
lost)

~~~
takluyver
> I bet the answer is "possible but not easy".

I would bet the same. This seems like what you want for an exemption process:
if it's too easy, people will use exemptions rather than fixing an underlying
problem.

> someone's personal blog needs to have the same level of security as the
> apple app store's payment system

Different grades of security would not have helped in this case, because it
was payment systems having trouble updating, and we put anything involving
money on a high security tier - except when legacy systems get an exception.

It's not quite one-size-fits-all, because EV certificates are meant to show
more trust, and most banks etc. will use those. That takes extra work, which
isn't worth it for a personal site. But you don't save any work by using a
weaker hash algorithm, so there's no reason for a personal blog to do so.

> the CAB chose to inflict a ton of pain and cause still-functioning hardware
> to be discarded

It does sound like they should have had an exemption process set up before the
cutoff date, or put the cutoff further out to give people more time to upgrade
systems. But using Hanlon's razor, it was probably an oversight rather than
deliberate 'environmental vandalism'.

------
tarancato
So I don't like Let's Encrypt, if Mozilla "kills" WoSign/StartCom, what are my
options if I want a cert for free?

~~~
oxguy3
What exactly don't you like about Let's Encrypt? Besides Let's Encrypt, your
other option is paying for a cert from GoDaddy or something. My two cents:
don't give business to Comodo, given their horrible track record of sleaziness
([https://en.wikipedia.org/wiki/Comodo_Group#Controversies](https://en.wikipedia.org/wiki/Comodo_Group#Controversies)).

~~~
tarancato
I don't like the EFF, but I guess I will have to use Let's Encrypt if there's
no other option.

~~~
rudolf0
If I might ask, why don't you like them?

~~~
tarancato
They are a political organisation and their ideas conflict with mine. I don't
keep a strong boycott on them, but I don't want to support their products,
that's all.

~~~
ceejayoz
I'd be very interested to know which of the EFF's political positions you
object to, but it appears pretty clear you're avoiding answering that
question...

~~~
tbrownaw
I don't see how that's relevant, unless the goal is to invalidate his(?)
dislike of them by claiming the political views that dislike is based on are
wrong and stupid.

~~~
ceejayoz
The goal was to find out more. Having never encountered an anti-EFF person on
here (or anywhere, that I can recall) I was interested in the answer.

------
sandGorgon
why is this google docs ? why is this not atleast a markdown file in github ?

~~~
popey456963
From tptacek:

"It was written by multiple authors. Ryan Sleevi is at Google."

I would assume the method it was written in is of little consequence to many,
just that Google Docs offer far better convenience when working in teams.

------
guelo
If the CA market were efficient this would lead to bankruptcy of this company
since there's no reason to chose them over the many competitors and many
reasons to distrust them. Though of course the market is not efficient. I keep
wondering when the Communist Party of China is going to make its heavy handed
presence felt in the CA world.

~~~
lolc
Even after this disclosures, a fully informed, rational agent would still
choose WoSign if their price and service were the best. This is because
WoSign's behavior does not specifically endanger their customers.

The SSL ecosystem relies on the trustworthiness of the certificate
authorities. If one of them is compromised, the whole system is compromised,
not just their customers. This cannot be solved by markets. Instead, it's
heavily regulated.

~~~
michaelt

      WoSign's behavior does not specifically endanger
      their customers.
    

Or more precisely, problems such as issue N [1] endanger their customers, but
endanger non-customers just as much.

[1]
[https://wiki.mozilla.org/CA:WoSign_Issues#Issue_N:_Additiona...](https://wiki.mozilla.org/CA:WoSign_Issues#Issue_N:_Additional_Domain_Errors_.28June_2015.29)

------
appleflaxen
Corporate personhood is an American thing, but if the CA can't perform their
most fundamental function (certifying accurate information), isn't that the
best possible case for the corporate death penalty?

A 1-year time-out is insufficient to regain trust, IMO.

I would never let them return, absent some kind of additional (exculpatory)
information)

They won't even admit to their behavior!

~~~
icebraining
Corporate personhood is _not_ an American thing. It appeared in the UK in the
1800s and it's now common across the world.

