
WoSign's secret purchase of StartCom: WoSign threatened legal actions - 0x0
http://www.percya.com/2016/09/wosigns-secret-purchase-of-startcom.html
======
creshal
StartCom has always been scummy. We've created hundreds of certificates in
clear violation of their ToS and they ignored it after we payed some hush
money; and then there's the whole "asking for money to revoke certificates
affected by heartbleed" affair. And StartEncrypt.

Both should be revoked.

~~~
onli
The whole CA system should be abolished. The only thing needed is certificates
for domain control, as LE does. We need one or two non-profit organizations
for that who do that work transparently. Remove the market from where should
be none.

~~~
Arnt
What we have is DANE and 0 nonprofits. Instead you add RRs in the domain
(which you control, right?).

~~~
drdaeman
> domain (which you control, right?)

You never control a domain - ICANN, your TLD registry and your immediate
domain registrar do. So, technically, it's just replacing one trust vector
with another.

However, given that we don't have a proper crypto in DNS (not even DNSSEC
which many don't like and urge to abolish), it would be terrible. Anyone who
can feed you spoofed DNS responses (i.e. starting from a cafe hotspot) would
be able to impersonate just anything.

~~~
okket
> You never control a domain

Then don't use DNS if you can't trust it? You have to trust at some point. Or
create your own infrastructure and convince others to trust you, if you want
more than a private network.

> Anyone who can feed you spoofed DNS responses

The tendency goes towards running your own local DNS resolver. It was not
possible in the 90s, but since then both the network and computer got a lot
faster and smarter.

DNSSEC has also evolved quite a bit and is the best we will get for long time.
I really encourage to have a look again before dismissing it outright.

[http://blog.easydns.org/2015/08/06/for-
dnssec/](http://blog.easydns.org/2015/08/06/for-dnssec/)

~~~
tptacek
Among many other problems, DNSSEC+DANE permanently concedes .COM, .NET, .ORG,
.CO.UK, and .IO to the FVEY Intelligence Community --- the TLDs are controlled
by world governments, as we all know from watching the DOJ use that control to
attack file sharing sites.

Not only that, but DNSSEC+DANE does this _without eliminating CAs_. It can't,
because browsers can't rely on DANE in the real world, for technical reasons.

Previous discussion:
[https://news.ycombinator.com/item?id=12383795](https://news.ycombinator.com/item?id=12383795)

~~~
amluto
> Among many other problems, DNSSEC+DANE permanently concedes .COM, .NET,
> .ORG, .CO.UK, and .IO to the FVEY Intelligence Community --- the TLDs are
> controlled by world governments, as we all know from watching the DOJ use
> that control to attack file sharing sites.

I'm all for trying to reduce the need to trust one's government, but I think
this is getting out of hand.

Currently, if you really want to trust the little https lock icon, you need to
trust your government, pretty much everyone else's government, a whole lot of
non-governmental companies of which many are demonstrably untrustworthy, and
anyone who can hijack internet traffic well enough to spoof domain validation.
And you need to trust everyone with control over DNS, because they can very
easily spoof domain validation. That's a lot of people, any of whom can force
a certificate.

With DANE, you need to trust the DNSSEC roots and the hierarchy from the roots
to your domain. That's it.

So the argument that Verisign and your registrar (and presumably your
government) can potentially defeat DANE is an argument against a ridiculous
straw man: Verisign and your registrar can defeat the existing system just as
easily.

At least with DANE, a whole bunch of other governments, registrars, AS
operators, etc can't also impersonate your web site.

~~~
pfg
If a site deploys certificate pinning via HPKP, you don't need to trust anyone
other than whoever the site deems trustworthy. So why bother with a new system
that might be an improvement for a small subset of the trust problem (and
comes with a huge set of other problems) when we already have a system that's
supported by a large number of browsers, is in use by a number of high-profile
sites and has shown that is effective against compromised CAs in the past?

Of course you can argue that HPKP is not quite there yet, but that is also
true for DNSSEC in general, and even more true for DANE. If we somehow,
against all odds end up in a situation where DNSSEC is actually widely
deployed, it wouldn't even be a bad thing for the domain validation process in
general - preventing at least some attack vectors, though I'd argue it's not
worth the cost. However, it should never be a replacement for efforts like
certificate pinning, Certificate Transparency, etc.

~~~
amluto
I don't think that I or anyone else has suggested that DANE is in any respect
whatsoever a replacement for HPKP. DANE could partially replace or augment the
CA system.

IMO we would ideally use DANE _and_ HPKP with CA roots kept around for legacy
clients.

~~~
pfg
The threat model you described did not take HPKP into account at all, and the
existence of HPKP has a large effect on the question of whether DANE is worth
the hassle (and the problems it comes with).

~~~
amluto
HPKP doesn't really solve these problems. It requires initialization, so a
naive browser isn't protected at all. It also makes a bunch of smaller
operators nervous because, if they lose their keys, it's game over. DANE gives
a happy middle ground where you can easily re-key and only a small number of
third parties can potentially tamper with the keying.

~~~
tptacek
No, that is only half the HPKP story. The other half is that when a pin breaks
in a browser, _the browser can report it_. Your browser might not have a
certificate pinned yet (though: for the most important sites on the Internet,
it does, because they're preloaded). But hundreds of thousands of other
browsers do.

Every HPKP-enabled browser functions as part of a global surveillance system
monitoring certificate issuance.

This works because under the TLS CA hierarchy, we have _trust agility_. When a
CA screws up badly, they can be limited by the browsers (Chrome has repeatedly
shown themselves willing to do that), or removed entirely.

DNSSEC+DANE gives us _no trust agility_. You cannot revoke .COM without
breaking the Internet.

------
xoa
I reluctantly stopped all usage and recommendation of StartSSL last year after
concerning information came up about a shift to Chinese ownership/control due
to their hosting by Qihoo 360 (previous discussed on HN [1]), which went
poorly in the context of both their lack of transparency and their long
standing insistence that certain keys be generated in the browser rather then
a user supplied CSR. But it really was _reluctant_ because their actual model
was fantastic and how I desperately wish other CAs operated. They charged only
for the actions that actually take human time: manual identity verification.
Machine verification was always free, but then there was the option to get
basic identity verified for a reasonable price (getting a level 2 cert), then
an organization, and then a more extensive organization verification. At each
step once you had a given level of verification done you could then get certs
without further payment for the validity period, in stark contrast to the
artificial expense CAs normally add. In an ideal world cryptographic
authentication would be part of the standard services offered by government,
and in fact authentication should be a core function of government period, but
that is not the case.

And no, Let's Encrypt is not a full substitute unfortunately, as it offers
only SSL certs. GPG has poor mobile and native platform support compared
S/MIME. So I do think it's a bummer that StartCom is toast.

[1]:
[https://news.ycombinator.com/item?id=11107740](https://news.ycombinator.com/item?id=11107740)

Edited to add: just to be clear, they absolutely had their flaws all along
too, primarily in terms of charging for revocations which rightly earned
criticism. But I still wish a better organization would take the good bits and
improve rather then the entire thing vanishing into the annals of history. I
feel like we're really treading water when it comes to authentication, despite
it being an ever more critical part of life. All the math and basic tech
needed to solve it correctly and in a user friendly way has been around for at
least a decade or two at this point, yet most people and organizations still
send messages with no real authentication (which in turn is the direct root of
much spam and scams), password use (and resultant problems) is still near
universal standard practice, etc.

~~~
BillinghamJ
This was the final straw on StartSSL for me. :(

I have now dropped my ongoing EV verification with them (has taken 7 months so
far!) in favor of CertSimple, and we've also moved all non-EV to
LetsEncrypt/AWS.

------
ascorbic
Now that LetsEncrypt exists there's no excuse for anyone to use StartCom.
They've had a whiff of dodginess for ages, and their customer service is among
the rudest I've known. This should be the final straw. Their root needs
removing from browsers. Give their existing customers a year's warning.

~~~
Jaruzel
I know I'm in the minority on here, but...

LetsEncrypt's certs are not trusted on Blackberrys (including BB10 devices),
and because Blackberry's big thing is 'a secure OS' there's no way to side-
load[1] a root cert.

Although dwindling rapidly - there's still some big business out there that
are still issuing Blackberrys to it's users.

My main home server is behind a StartCom cert... and I use a BB10 device - so
no LetsEncrypt migration for me :(

\--

[1] Happy to be corrected on this, If I'm wrong!

~~~
koolba
> LetsEncrypt's certs are not trusted on Blackberrys (including BB10 devices),
> and because Blackberry's big thing is 'a secure OS' there's no way to side-
> load[1] a root cert.

> Although dwindling rapidly - there's still some big business out there that
> are still issuing Blackberrys to it's users.

What business are you in that Blackberry users are a factor? What percent (or
total number of users) would be impacted?

Only time I've seen a Blackberry in recent memory is as a stock image on a "
_Why RIM failed..._ " article.

~~~
Jaruzel
Believe it or not - Large Financial still roll out BBs, mainly because they
have a big investment in the BES backend, and don't want to replace it unless
they absolutely HAVE to. Latest version of BES (v12) supports iPhone and
Android now, but it's not as complete as native BB support.

My Blackberry is personal though (I love hard keyboards!).

------
VMG
How to disable CAs on firefox (thanks user nmc):

The GUI way:
[https://wiki.mozilla.org/CA:UserCertDB#Deleting_a_Root_Certi...](https://wiki.mozilla.org/CA:UserCertDB#Deleting_a_Root_Certificate)

The CLI way:
[http://unix.stackexchange.com/a/285831](http://unix.stackexchange.com/a/285831)

Chrome/Chromium: search "certificate" in settings to get to the certificate
manager, edit trust settings for certificates.

~~~
imglorp
How can laypeople know which certs can currently be trusted? Is there a list
of ratings somewhere, or maybe a whitelist of some kind?

~~~
svenfaw
I'm working on such a project. The ratings are based on a few well-defined
criteria. Stay tuned!

~~~
rocqua
How do I stay tuned? Sounds quite interesting.

------
mtgx
WoSign seems to give away all the signs of malicious CA. Why haven't browser
vendors banned them (both) already?

------
ramblenode
It doesn't seem like browsers are willing to revoke certificates from these
dangerous CAs, but what about a compromise that flags some certificates as
less trustworthy?--a certificate tier, if you will. I'm envisioning a warning
page in the style of Firefox's "This Connection is Untrusted" that would
require the user to consent before proceeding to the page. Or removing the
lock icon if that's too intrusive. It wouldn't break websites but it would
bring attention to websites' choice of security and probably spur action from
those affected. The whole system needs an overhaul but we also need a stopgap.

~~~
rocqua
I think this is definitely needed to keep CAs viable, but this requires cross-
signing to be much easier. It should also be possible to get signed
certificates by many CAs.

Without this, it would be quite difficult to ensure you can serve a customer a
valid certificate. At the same time with much more cross-signing, trust would
be established much better.

------
justinclift
Damn, we (sqlitebrowser.org) recently went through the process of obtaining a
MS code signing certificate... from StartCom. (so we can sign our release
binaries)

 _sigh_

------
devy

        I call for a detailed investigation over WoSign's purchase of StartCom 
        and the current status of StartCom. If StartCom is deemed untrusted in connection with WoSign,
        it should be revoked as well.
        
        I further call for all current users of WoSign or StartCom to switch to Let's Encrypt as soon as possible.
    
    
    

First off, it's impractical for all StartCom/WoSign customers to switch to LE
because LE doesn't offer wildcard and EV TLS certificates, neither do they
offer certificates that are valid more than 90 days.

Second of all, there are 175 root certificates[1] (close to a hundred CAs)
trusted by Mozilla, why does this blogger targets the one and only CA in
China; go above and beyond digging into private business deals to prove his
point and trying so hard to gather up public support to revoke WoSign's root
certificates?

I mean, sure WoSign was pretty bad in those incidences of certificate mis-
issurances and have had some really shitty practices exposed (I suspect
incompetence might also contributed), but is WoSign the ONLY one out there who
does these shitty practices in the CA business? We don't know, until someone's
look into it. But publicly shaming a single CA doesn't make all of us securer,
rising awareness and promote security best practices do.

PS: if you read the rest of his blog posts in Chinese (resource links ), you
would most certainly agree that the blogger is A) knows Chinese really well
and B) is a political dissident. So is there any hidden motive of why the
blogger did what s/he had done? Personal revenge? You guess is as good as
mine.

[1]
[https://wiki.mozilla.org/CA:IncludedCAs](https://wiki.mozilla.org/CA:IncludedCAs)

~~~
EnFinlay
I think you're right, this blogger is focusing their attention on this CA.

Even though you're probably correct, it's irrelevant. Every CA should be able
to stand up to whatever scrutiny people choose to put them under. Just because
this person is not targeting all of them does not make what he finds LESS
valid.

If he's making stuff up, then yeah, that's obviously it's a problem.

To Straw Man you, it's crazy to say "I'll ignore these facts because the
messenger has a bias".

------
kgc
To un-trust on OS X:

1\. Open Keychain

2\. Search for Startcom (3 results)

3\. Double click each certificate

4\. Open Trust section (expand small arrow)

5\. Select "Never Trust" for the first option.

