
WoSign and letsencrypt.cn - arthur2e5
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/E13eT13wMBQ
======
koolba
For those of you who don't read beyond the subject line, here's the meat:

> It seams that wosign has registered the domains letsencrypt.cn and
> letsencrypt.com.cn in 2014 after the public announce of Let's Encrypt.

And here's the whois record:

    
    
        $ whois letsencrypt.cn
        Domain Name: letsencrypt.cn
        ROID: 20141120s10001s72911711-cn
        Domain Status: clientTransferProhibited
        Registrant ID: k35-n2041486_00
        Registrant: 深圳市沃通电子商务服务有限公司
        Registrant Contact Email: dns@wosign.com
        Sponsoring Registrar: 厦门三五互联科技股份有限公司
        Name Server: ns3.dns-diy.com
        Name Server: ns4.dns-diy.com
        Registration Time: 2014-11-20 09:57:27
        Expiration Time: 2017-11-20 09:57:27
        DNSSEC: unsigned
    

Unless they registered those domains to "reserve" them for LetsEncrypt ( _haha
right?_ ), this is pretty blatantly deceptive, or at least they planned to be.
Then again not exactly the worst thing they've done in the world of SSL.

~~~
imron
> Unless they registered those domains to "reserve" them for LetsEncrypt (haha
> right?)

Which is exactly what WoSign say they did in that same comment thread after
noticing that LetsEncrypt didn't register the Chinese domain names themselves.

They also offer to transfer them to LetsEncrypt at no cost.

~~~
JshWright
Then I'm sure they have a copy of the email they sent to Let's Encrypt the day
they registered it, letting know they were just doing them a favor...

------
tptacek
For anyone who doesn't know the backstory on this already: WoSign (and, after
WoSign quietly acquired it, StartCom) were distrusted by Mozilla for
mismanagement ranging from backdating certificate to bypass crypto
requirements to accidentally mis-issuing certificates.

It is unlikely that WoSign or any CA run by WoSign will ever fully compatible
with browsers in the future.

~~~
hackerboos
Startcom's certs still show as ok in Firefox for me. Any idea when this kicks
in?

~~~
adambrenecki
Existing certs (those with a notBefore date before Oct 21 [0]) are still
trusted by Firefox. New certificates are not.

(WoSign could theoretically backdate the notBefore date on new certs to make
them look like existing certs, but Mozilla have said that if they catch WoSign
doing this they'll distrust their root totally.)

Other browsers are taking similar measures, but I'm not sure on the details.

[0]: [https://blog.mozilla.org/security/2016/10/24/distrusting-
new...](https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-
and-startcom-certificates/)

~~~
Crosseye_Jack
Apple are trusting certs WoSign published to Certifitcate transparency server
before September [0] and StartCom certs with an notbefore dates of December
[1]

[0]
[https://groups.google.com/forum/m/#!topic/mozilla.dev.securi...](https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/lWJ1zdUJPLI)

[1]
[https://groups.google.com/forum/m/#!topic/mozilla.dev.securi...](https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/EqkAdP4nQ_s)

------
artursapek
Business as usual in the dirty cert industry

[https://letsencrypt.org/2016/06/23/defending-our-
brand.html](https://letsencrypt.org/2016/06/23/defending-our-brand.html)

------
novaleaf
fyi, it looks like this may be overblown. Richard Wang, the person who
registered the .cn domains, posted this in the thread:

\---------------------------

I wish everyone can talk about this case friendly and equally.

It is very common that everyone can register any domain based on the first
come and first service rule.

We know Let's Encrypt is released after the public announcement, but two day
later, its .cn domain is still not registered, I think maybe it is caused by
the strict registration rule in China, so I registered it for protection that
not registered by Cornbug.

We don’t use those domains for any WoSign's services that we provide similar
service: [https://pki.click/index_En.htm](https://pki.click/index_En.htm) (SSL
Wizard, StartEncrypt)

Now, if Mozilla or Let’s Encrypt contact me officially and request to transfer
the two domains to them, no any problem, we can transfer to them for FREE!

But please notice that this arrangement is for friendship, not for others
......

Best Regards,

Richard

~~~
wereHamster
If he registered the domains to 'protect' them he should have contacted LE
immediately afterwards to arrange the transfer. Not wait until the world finds
out. It's easy to use that form of reasoning ("I only did it for protection")
after others find out. But is such a person trustworthy? I have my doubts.

------
beatle_sauce
This could develop further. Reminds me of TOM Skype: Chinese users are
redirected from skype.com to the chinese-characteristics website skype.tom.com
which serves a censorship-enabled version of skype, see
[https://en.greatfire.org/blog/2013/nov/tom-skype-dead-
long-l...](https://en.greatfire.org/blog/2013/nov/tom-skype-dead-long-live-
microsoft-surveillance)

~~~
yadongwen
Well this is a collaboration b/t Skype and TOM.com. Skype has to do it b/c
they don't have license to operate in China. My skype account was registered
in China and I have to prove I'm not in China anymore to remove the
association..

~~~
inimino
Skype chooses to do it. They could also simply choose not to cooperate, and be
blocked.

------
ns8sl
The Twit network has some very detailed podcasts about Wosign's sliminess:

[https://twit.tv/search/wosign](https://twit.tv/search/wosign)

This is a CA death penalty situation as far as I'm concerned.

~~~
wjossey
+1 wrt to the twit conversations. Leo & Steve Gibson on Security Now have
regularly spoken about wosign, and it's the primary reason why my antenna
immediately perked up when I saw the headline.

As a general note, the content on the TWiT network is superb. I love the great
ethics conversations that are had on TWiG (This Week in Google). I've loved
listening to the "coming out of the wilderness" progression of Mary Jo Foley &
Paul Thurrott with regards to Microsoft on Windows Weekly. And Security Now is
my guilty educational pleasure, as its greatly expanded my knowledge of
security issues and topics, which have served me well over the past few years.

~~~
ns8sl
Steve Gibson will go into levels of detail that amaze me. The podcast on
Rowhammer is a perfect example - down to the minute details of how VMs store
memory pages...

Its also can be a great sleep aid.

~~~
616c
Crap, I am not even familiar with that episode, and SN is the longest running
on TWiT. Link? Is 498 or 576?

[https://twit.tv/shows/security-
now/episodes/498](https://twit.tv/shows/security-now/episodes/498)

[https://twit.tv/shows/security-
now/episodes/576](https://twit.tv/shows/security-now/episodes/576)

------
skrowl
A similar name may be enough to fool everyday users, but I don't think they're
going to trick Mozilla and Google into trusting then.

~~~
SallySwanSmith
Why would that matter? They can set up a similar service and use the wosign ca
and Mozilla/google wouldn't know anything is amiss

~~~
steventhedev
Previous discussion:
[https://news.ycombinator.com/item?id=12582534](https://news.ycombinator.com/item?id=12582534)

tl;dr - WoSign/StartCom are no longer trusted as a CA (at least by Firefox)

~~~
svenfaw
However, previously issued certs are still trusted. For instance, Firefox
doesn't complain about this site's WoSign cert:
[https://www.checkmyping.com/](https://www.checkmyping.com/)

~~~
tscs37
Existing certs are still trusted.

Mozilla stated that they will not distrust certs issued with notBefore till
December, so theoretically this cert is good for as long as it's still valid,
only after that they need to worry.

------
ryanlol
It's really difficult to understand _why_ anyone would want to do this. Unless
they were working with Let's Encrypt directly I really don't see how this
could ever be acceptable.

Why would anyone do such an obviously bad thing and slap their company
information in the whois?

~~~
guitarbill
Because they thought they could get away with it - just like all of the other
stuff they've done. And they did get away with it for a while.

~~~
ryanlol
What's the motivation though? It doesn't seem like they've really ever used
the domain. Right now this all just seems utterly pointless and stupid on
their part, but I guess that's really nothing new.

~~~
avian
To me, the most obvious motivation for registering the domain would be to
basically make a domain squat. Redirect anyone visiting "letsencrypt.cn" to
their own, similarly named (and now defunct as far as I know) service
"StartEncrypt" [1]. Like any other domain squat, it would probably allow them
to profit to some degree from the buzz Let's Encrypt was generating.

[1]
[https://news.ycombinator.com/item?id=11903513](https://news.ycombinator.com/item?id=11903513)

~~~
vertex-four
Except that they weren't doing that.

------
methou
As a frequent user of the Chinternet, a .cn counterpart of a famous project is
an alarm sign of non-affiliated copy of the original project or simply just
someone wants to build a Chinese version (still not affiliated) community for
that project.

After all these dramas with .cn, a wary user should reject .cn on the first
sight. Too sad for Chinese/Non-technical users, as they have no choice.
There's nothing can be done about the situation.

------
EGreg
Do we have to run certbot every few months to update the certs? Can we set up
a cron to do it? Thoughts welcome.

~~~
elliottcarlson
Yes - you can add it to a cronjob, as well as add a `--renew-hook` option that
tells it to do something post renewal, such as restart your webserver.

See [https://certbot.eff.org/docs/using.html#renewing-
certificate...](https://certbot.eff.org/docs/using.html#renewing-certificates)

------
mijoharas
Has Richard Wang left WoSign as CEO or not?

~~~
inimino
During last-chance negotiations with Mozilla, they claimed he was stepping
down immediately. However, Mozilla moved against them anyway, so presumably
they immediately went back on that pledge once it became clear that it wasn't
helping. Apart from the time of the negotiations, there haven't been any other
claims that he had stepped down as far as I know.

------
Buge
I don't see how it's a security problem. Just because the domains are similar
doesn't mean browsers will accidentally start trusting the CA.

~~~
Sanddancer
This is how these sort of attacks have always worked. Get something that's
just close enough so that it passes the glance attack. If someone doesn't
notice anything in the first few seconds, you've done half your work right
there.

~~~
Buge
What is going to happen in a quick glance? Including a CA in a browser is an
extremely long and drawn out processing involving third party audits and many
other things costing hundreds of thousands of dollars. There is zero chance
that no one along that whole process will notice that the TLD is actually .cn
.

~~~
inimino
Obviously, but that's not the concern. The concern is that someone would visit
letsencrypt.cn and end up getting a certificate from a provider that is not
Let's Encrypt without really understanding that. Imagine a busy, non-SSL-
expert user who just hears "Let's Encrypt is good, you should use it".

Since the domains aren't being used, we can't say what the intention was, but
it's being judged as part of a pattern of behavior by Wosign.

~~~
Buge
Ok, but that's not really a security problem. You don't give out your private
key when getting a certificate.

~~~
inimino
Actually many customers let the CA generate the private key and copy it onto
their servers, but that's not the point.

It's a trust problem because of the pattern of this particular CA. Whether you
call that a security problem or not is semantics. If not for the existing
pattern of behavior, people would be a little more willing to look charitably
on this as an honest mistake or trying to help, but given the history the
assumption of good faith has been considerably weakened.

