Mozilla's Proposed Conclusion: Game Over For WoSign and Startcom?

Reader Zocalo writes: Over the last several months Mozilla has been investigating a large number of breaches of what Mozilla deems to be acceptable CA protocols by the Chinese root CA WoSign and their perhaps better known subsidiary StartCom, whose acquisition by WoSign is one of the issues in question. Mozilla has now published their proposed solution (GoogleDocs link), and it's not looking good for WoSign and Startcom. Mozilla's position is that they have lost trust in WoSign and, by association StartCom, with a proposed action to give WoSign and StartCom a "timeout" by distrusting any certificates issued after a date to be determined in the near future for a period of one year, essentially preventing them issuing any certificates that will be trusted by Mozilla. Attempts to circumvent this by back-dating the valid-from date will result in an immediate and permanent revocation of trust, and there are some major actions required to re-establish that trust at the end of the time out as well.
This seems like a rather elegant, if somewhat draconian, solution to the issue of what to do when a CA steps out of line. Revoking trust for certificates issued after a given date does not invalidate existing certificates and thereby inconvenience their owners, but it does put a severe -- and potentially business-ending -- penalty on the CA in question. Basically, WoSign and StartCom will have a year where they cannot issue any new certificates that Mozilla will trust, and will also have to inform any existing customers that have certificate renewals due within that period they cannot do so and they will need to go else where -- hardly good PR!

What does Slashdot think? Is Mozilla going too far here, or is their proposal justified and reasonable given WoSign's actions, making a good template for potential future breaches of trust by root CAs, particularly in the wake of other CA trust breaches by the likes of CNNIC, DigiNotar, and Symantec?

I'm Confused

[MightyMartian]

Why in the hell would anyone trust certificates signed by a Chinese CA to begin with?

Re: I'm Confused

[n0creativity]

When I signed my organization up with StartCom (StartSSL) 18 months ago, I did a few hours of research in attempt to do my due diligence. Unfortunately I found absolutely no information tying StartCom to WoSign or any Chinese groups. Had I known who was actually behind StartCom, I would have found another solution. I'm sure that I'm not the only admin in this position.

Re: I'm Confused

[Kupo]

TFA mentions that:

8 Issue R: Purchase of StartCom (Nov 2015)

So it happened less than a year ago. What you researched 18 months ago was probably legit. The acquisition happened after your issuance. That said, having been a long time user of StartCom/StartSSL, I find this is depressing it's gone this route. But I've moved on to LetsEncrypt recently anyways, since the StartSSL website was a royal PITA to use, and LetsEncrypt works much more fluidly.

Sad, but time to move on, I guess.

Re: I'm Confused

[vux984]

Agreed. I used to use StartSSL certs for several things over the last decade. And I too have moved to and endorse (for whatever little that's worth) LetsEncrypt.

The official lets encrypt client didn't meet any of my needs when i first switched although it may be better now (!?) Things seem to have been moving along over there.

I currently use the acme.sh client on linux and it's been solid and easy to use. I don't have anything positive or negative to say about the multitude of other options. And again... things have likely moved along a lot since i switched a year ago.

Re:

[ChristophWeber]

I currently use the acme.sh client on linux and it's been solid and easy to use. I don't have anything positive or negative to say about the multitude of other options. And again... things have likely moved along a lot since i switched a year ago.

At Slashdot we use the acme tool as well, rolling it out now across our infrastructure. Dependable, quick and easy.

Re:

[TheRaven64]

How do you get S/MIME certs via Let's Encrypt?

Re:

[TheRaven64]

I did, I went to StartCom, who offer free S/MIME certs, and free TLS certs that are valid for one year. Now, apparently, Mozilla wants to force me to move to a different CA, but the one that they're backing doesn't provide the same set of certs.

Re: I'm Confused

[bill_mcgonigle]

Yep. A few years ago I got grilled by a (nice) guy in Israel about my certs, even though I had gotten all the answers right on their notary certification test. It was tougher than most "Green bar" certs are today. Which is how a competent CA works.

RIP old Startcomm.

Re:

[omnichad]

But I've moved on to LetsEncrypt

Hence Startcom's motivation to sell out - there's no good reason to compete in that space.

Re:

[ModernGeek]

I've started looking at Root and Intermediate CAs country of origin, and found that a lot of the big name guys don't actually reside within the US, and the Intermediate one might be in a different country. Really whenever inspecting a certificate within a browser, it might be a good idea for the interfaces to put pictures of little flags next to each one as to better identify their source.

Re:

[tdailey]

I am very surprised at this news as well. I have used StartCom for years after first reading recommendations for them right here on SD. I was impressed with StartCom's thoroughness; they required uploads of bank or bill statement headers to show that my business was real & recognized, personal ID documents, photos, and they followed-up with a phone call to confirm that I was who I said I was. I felt they took their role as a trust verification entity seriously. I happily paid them every year. I am than

Re:

[Rufty]

You aren't the only one.

Re:

[decep]

Chinese citizens do not really have a choice and deserve attention to CAs that do not even deserve trust in China. The view is very different from our high moral towers in the west.

Re: I'm Confused

[realxmp]

Well they certainly got attention, shame that because of their actions it was the wrong kind. I do not particularly trust businesses from any country, as they all have security services and ways to lean on people. What I do trust is protocols, and if you break them you're out.

Re:

[houstonbofh]

Why in the hell would anyone trust certificates signed by a Chinese CA to begin with?

A better question is how do you know if your certificates are issued by a Chinese company? They have a lot of cash, and are buying a lot of companies...

Re:

[harryk]

Your comment only confirms that you didn't read the well written paper from Mozilla, which clearly explained that WoSign purchased StartCom, an Israel based company.

Re:

[Midnight Thunder]

Why in the hell would anyone trust certificates signed by a Chinese CA to begin with?

Maybe ask the question differently: Why would you trust any company? In the end it comes down to the chain of trust, for which due diligence is part of, along with the fact no flags have been raised at any point. The flag here is that there is behaviour to create doubt, but why should it just be 'because it is Chinese'?

Re:

[AmiMoJo]

Indeed, if we are talking about untrustworthy countries, most places are looking kinda bad these days. The US has some really bad laws (DMCA etc.) and registrars based there are likely infiltrated by or actively cooperating with the NSA. UK registrars have similar issues withe GCHQ.

Re:

[Midnight Thunder]

Indeed, if we are talking about untrustworthy countries, most places are looking kinda bad these days. The US has some really bad laws (DMCA etc.) and registrars based there are likely infiltrated by or actively cooperating with the NSA. UK registrars have similar issues withe GCHQ.

The other issue, is related to privacy and whether your 'trusted' registrar chain is sharing information with other entities, for which you did not explicitly agree to, in a clear and understandable contract?

Re:

[Anonymous Coward]

Why in the hell would anyone trust certificates signed by a American CA to begin with?

It's not that bad.

[narcc]

It's a system built on trust. If a CA is anything less than completely trustworthy, it's useless. A year long suspension looks like a slap on the wrist, when the obvious action is to drop them completely.

Re:

[houstonbofh]

I see it as too long for a warning (who can live a year with no income?) but to light to be serious. I really want to see more easy to use tools for users to drop authorities they do not trust. That will change things fast.

Re:

[Zocalo]

You've read the list of hoops that they'll have to jump through to get re-listed, right? Assuming they survive the suspension to even try and get re-listed that is. The real kicker is that they have to be audited by an agency appointed by Mozilla before that happens, which doesn't seem like something they'd be too keen on at the best of times. If you look at some of the issues Mozilla has with them in the light of the normal modus operandi of the Chinese government and it would seem the chances of them a

Re:

[stooo]

>> The real kicker is that they have to be audited by an agency appointed by Mozilla

Many and continuous Audits are normal and needed for a CA. why do you think it's too much ?

Re:

[mikeiver1]

Totally agree, Trust is everything in this case and they are very untrustworthy. Guess I need to go through my certificates and remove those that are issued by these two companies.

Re:

[SumDog]

The SSL CA system has been broken for years. Remember Comodo and Iran?

I know companies won't be going to LetsEncrypt anytime soon. They'll pay the premium for that little green icon (or is it blue. Fuck I don't pay attention anymore).

LetsEncrypt basically does the bare minimum that you can honestly do with identity verification today: prove the owner of the domain is really who they say they are. If you're expecting more from SSL-CAs, you need a dose of reality.

Re:

[TheRaven64]

And yet a CA that was seriously compromised by 'a single kid' is still trusted by Mozilla, whereas the CA that provides the best competition for Mozilla-backed Let's Encrypt is subject to sanctions.

Re:

[marcansoft]

It's not a year-long suspension. It's a permanent suspension of trust in their current roots. They can, however, re-apply after one year - with extra auditing over what is normally required - and if and when they pass that they may be let in again. If they do nothing, they don't get back in for free after a year.

Re:

[stooo]

Americcans don't have to cry foul when their corruption is found out because it's simply pushed under the carpet.

Re:

[TheRaven64]

Comodo.

Re:

[houstonbofh]

Almost? What do you need for failure?

Re:

[NotInHere]

But you trust your OS vendor then?

The entire security of the internet

[surfdaddy]

...depends upon the flawed root CA system. These companies have repeatedly failed to do their primary job of cooperating with established rules and protocols. They've failed to report breaches, they've issued certificates erroneously for other domains and then not reported it. This has been done repeatedly, and is the PRIMARY function of a CA. I don't consider it "draconian" at all, it seems pretty charitable for their timeout to be only one year instead of permanently. It's also an example to other certificate authorities that the rules actually have some teeth.

Re:

[BenFranske]

I think it's a substantial exaggeration to say that the entire security of the Internet relies on the root CA system. There are a lot of organizations and people running encrypted communications over the Internet that are PSK or internally signed certificates. Think VPN connections. While a lot of public services such as web servers, email servers do rely on a very flawed CA system my point is that even if the entire CA system crumbled (which would be bad as I haven't seen any legitimate proposals about wha

Re:

[Anonymous Coward]

That's an optimistic assessment of Mozilla's actual influence on the market. Firefox has been circling the drain for a couple years already.

http://www.ghacks.net/2016/06/09/why-firefox-will-continue-to-lose-market-share/

Re:

[higuita]

what make you think that cutting off even 15% of market is something that people can ignore?
also, what makes you think that google, microsoft and apple will not do the same thing? this was found by mozilla, but all browsers are usually in sync on the CA matters

read the article: only NEW certs will be distrust

[higuita]

please read the article... only the NEW certs will be distrust, old ones will keep valid until they expire. You might have problems only on renews...

If they behave well and follow all the rules, in one year they may be trusted again... if they keep trying to issue certs using past dates, they will be totally removed and if they ever try to reenter the CA business, they will have to follow again all the audits, tests, checks, etc... takes ages, log of money and in the end, mozilla can still say "NO"

Re:

[darkain]

And to the average user, what you're suggesting is just another "click [OK] to continue" prompt on every web site that'll be ignored due to the commoner's lack of understanding of information security. Plus when you add LetsEncrypts recommendation of expiring certs every 30 days (they max at 90, but recommend replacing them sooner), that means at least once a month users will be prompted for a new cert. Even as an informed user, how can you be reasonably sure the new cert is coming from the intended source

Re:

[tepples]

The model you propose is called trust on first use (TOFU). TOFU is vulnerable to a man in the middle (MITM) on the first connection, but this can be worked around with the Perspectives add-on, which checks the server through multiple routes through the Internet to see if the certificate matches.

Draconian?

[penguinoid]

What's draconian about not trusting someone proven to be untrustworthy? Is it because their only job was to be trustworthy?

Re:Draconian?

[Zocalo]

As the submitter, I pitched it as possibly draconian because they're basically proposing to kill the business of both WoSign and, more critically perhaps, Startcom. It might be presented as a one year timeout but, realistically, what business can survive for an entire year without actually being able to generate any revenue, and even if they survive that long have to jump through some pretty big hoops before they can start operations again - including having Mozilla appoint someone to audit them and their code? There's also the issue of Startcom - until around year ago they were their own (Israeli) business and a lot of people took advantage of Startcom's free certificates - they were in many ways the forerunner of Let's Encrypt in bringing SSL/TLS to the masses - and those users are going to get at least slightly singed as well.

Anyway, since the story isn't really the place for the writer's opinion and the comments are, for the the record I think that WoSign really screwed up, they deserve what they get, and this a good solution for this and future CA incidents that minimises the fallout on those customers who already have one of their certs. Also, once they finalise this, I think Mozilla's next step should be to write this up as policy and then try and get Google, Microsoft and Apple on board with it as an agreed template for multilaterally handling the inevitable future incidents. The whole root CA system is only as strong as its weakest link, and if it's going to survive as a viable means of establishing trust then when weak links are identified they need to be removed with prejudice as soon as possible - it's not just great power that requires great responsibility; it's trust too.

Re:

[h4ck7h3p14n37]

I pitched it as possibly draconian because they're basically proposing to kill the business of both WoSign and, more critically perhaps, Startcom. It might be presented as a one year timeout but, realistically, what business can survive for an entire year without actually being able to generate any revenue, and even if they survive that long have to jump through some pretty big hoops before they can start operations again - including having Mozilla appoint someone to audit them and their code?

What obligat

We need a web of trust

[GuB-42]

The CA model is broken.
The fundamental difference between a CA and a web of trust is that in a CA model, only the CA signs your certificate while in a WoT, the certificate can be signed by as many signers as you want, which mean you don't have a single point of failure.
For example StartCom may not be worth your entire trust but it is still better than nothing. And complimented by, say, a few independent, free authorities, it starts getting good because the attacker now have several different targets. This is not an option with CA as we have now, that's blind trust or nothing.

Expensive & hard to coordinate

[StandardCell]

The certificate business is big money. It's possible some companies may be able to purchase certs from multiple vendors but it adds up very quickly, and coordinating activities like expiration dates have to be aligned among the vendors which is tricky with multiple large contracts. Only the biggest companies will be able to do this, leaving the rest to single and/or smaller CAs.

Yet does that really make an entity's presence on the public Internet inherently more trustworthy? If I was to get certs from

Re:We need a web of trust

[CrashNBrn]

All we should have is the "Registrar Model":
Register Domain, Get Domain & Certificate from Registrar.
Use Certificate to sign a "fingerprint" of your Server.
Register the signed "fingerprint" with your Domain Registrar.

Domain Lookups would include the signed fingerprint of your server.
Done.

Re:

[tepples]

There's one way to emulate that in the current model:

• Register domain.
• Generate keypair on your server. The CSR, derived from the public key, acts as a fingerprint.
• Upload CSR to CA owned by registrar.
• Registrar-CA issues certificate.
• Use HTTP Public Key Pinning to ensure only your registrar can issue certificates.

In theory, there's another way:

• Register domain.
• Generate keypair on your server.
• Add a self-signed certificate to your domain using a DANE TLSA record.
• Sign your domain with DNSSEC.

But as I understand it,

Re:

[AmiMoJo]

How does that help identify when a web site is genuine? Currently when I go to my bank's web site I can confirm that the certificate belongs to them and that it was verified by a (hopefully) trustworthy third party. I'm fairly sure I'm not entering my details into a fake site.

What we need is two identity verification methods. One verifies the server for the purposes of setting up an encrypted link. The other verifies the identity of the site owner for the purposes of doing business or sharing secrets with t

Re:

[stooo]

>> For example StartCom may not be worth your entire trust but it is still better than nothing.
No. Corrupt CAs are worthless

Re:

[omnichad]

StartCom may not be worth your entire trust but it is still better than nothing

A false sense of security is actually worse than nothing.

Damnit, I'm on Startcom

[Indy1]

Guess I need to get my certs moved over to someone else. Fortunately there's some other free options that look promising.

https://letsencrypt.org/ [letsencrypt.org]

Re:

[higuita]

read the article: only NEW certs will be distrust, existent ones will keep work, until they expire.
In a year, if they behave and follow all rules, they MAY be trusted again.... if they keep doing wrong things, they will be removed.
basically, mozilla removed the CA market from then for one year as penalty

Re:

[kav2k]

Note: if they cheat again, trust in existing ones will be pulled without warning.

Re:

[kav2k]

That's one option. Are there others left?

I was only aware of WoSign (which I happened to start using, before LetsEncrypt was released) and StartCom as alternatives for free trusted SSL certs.

Re: Damnit, I'm on Startcom

[heypete]

For completely free certs? Those are the only ones I know.

Sites like ssls.com sells, among others, Comodo DV certs for like $5/year. Not free, but close enough for most purposes.

No CA is the New Black

[Anonymous Coward]

How about don't use a CA at all? Self sign your certificates in your organization. Expect everyone you do business with to verify and install your certs rather than trusting Mozilla to trust a third party. Oh... and staff up your help desk to answer questions like, "I didn't need to do this with Amazon. Why are you guys so stupid?"

Re:

[account_deleted]

Comment removed based on user account deletion

Seems fair

[Improv]

If you can't remove problematic certs by a vendor or penalise them for misdeeds, then they have no constraints. User trust is more important.

Not enough

[b1ng0]

In my opinion, this does not go far enough. These entities are in the business of trust. Once you break that trust ONCE, it should be game over! No warnings, slap on the wrist, suspensions or other nonsense. You break that trust and you should be removed permanently.

Re:

[SumDog]

Comodo should have had all their keys revoked forever ago.

Re:

[marcansoft]

Speaking of Comodo... [google.com] (bonus: WoSign owner also tries to step in and makes a fool of himself).

Re:

[StandardCell]

You're 100% right. Anything but the death penalty for a CA after thorough independent investigation send the message that this behavior will be tolerated in some fashion. That should never ever be the case with a CA in particular, or the viability of web commerce and trusted information exchange would be at substantial risk.

We have enough security problems with clients, data breaches and end user stupidity to have to deal with this.

Going after the Chinese

[Anonymous Coward]

what about the whole Bluecoat thing? Or when the other big CA's did wrong? It's just an issue when it's a non-U.S. based CA, is it?

Re:

[stooo]

Yes. American CA are corrupt by law.

distrust them

[Lehk228]

go into advanced settings and distrust those to CA's, it takes less than a minute.

Re:

[higuita]

no need for that... firefox will distrust NEW certs, but keep old ones working (minus this 62 back issued certs)
there is no info to make the other certs invalid, you will be only breaking random Innocent sites

Are they big enough?

[mhkohne]

Is Mozilla big enough (in the form of Firefox) for the rouge CA in question to care what Mozilla does? I've no idea whose numbers are reliable, but the first set I found indicated that Firefox has less than an 8 percent share of the browser market, with IE @ ~27% and Chrome @ ~53. If that's even close to true, is Mozilla taking an action like this relevant? Or will it just push people into dropping Firefox?

Re:

[higuita]

yes. for 3 reasons:
-when you get a CA, you want it to work in all browsers... market share may not be high, but it is still a very popular browser. spread the word that the site do not work in all browsers is enough to cause panic in many people

- mozilla, microsoft, google and apple are usually in sync about CA issues. This was found by mozilla and they decided the action they will take... other companies will now analyze this and take their own actions. As mozilla action is a good one, it may be accepted b

Re:

[Zocalo]

Firefox alone, possibly not. However, Mozilla's certificate store is also the one commonly used by NSS on Linux which might not be so big on the web browser front, but that's going to cause a lot of problems for people trying to use any post-revocation WoSign/Startcom certificates to send email through Linux gateways using TLS. Also, while I didn't mention it in the submission since it's far from certain, there's a reason the response is on GoogleDocs; one of the authors (Ryan Sleevi) is a Google employee

Re:

[ChoGGi]

If you noticed at the bottom of the doc it mentions Ryan Sleevi (also see https://wiki.mozilla.org/CA:Po... [mozilla.org])
So at least in some fashion Google is involved as well

Impact

[DigiAngel69]

Which will impact less then 8% of the market: https://www.netmarketshare.com... [netmarketshare.com]

Re:

[marcansoft]

Until Google does exactly the same thing in Chrome... which they probably will, as one of the authors of that document works for Google.

A shot at Ernst & Young also

[harryk]

I thought the 'punishment' was an interesting take to show a loss of trust, after a certain date and the ability to regain it after a period of time. I found it slightly more interesting that Mozilla would also choose to no longer accept audits conducted by Ernst & Young. That could potentially be huge as it shows (at least in some manner) that their auditors were not conducting a thorough audit or did not have the technical prowess to fully audit a CA.

Re:A shot at Ernst & Young also

[Zocalo]

It's actually "Ernst & Young (Hong Kong)" - i.e. "China" - specifically, rather than Ernst and Young in general, but that caught my eye as well. In fact, there's a lot of things about the write up that imply that Mozilla at least suspects some high level corruption on behalf of multiple actors in this but is just being politic about it, and especially so if you keep in mind what some of WoSign's "errors" might enable in terms of censorship and surveillance.

Re:

[SlashdotOgre]

Personally I lost my faith in E&Y after I saw some of their creative accounting techniques around the sale and depreciation of virtual goods for companies like Zygna.

The whole system is broken

[Sax Russell 5449D29A]

It's not just a few CAs, it's the whole system. The CA system is built on trust and there has been no trust left in the system in years. The whole idea of encrypted communications between web browsers and web servers needs to be reworked and somehow decentralized so that rogue CAs will eventually die out.

Re:

[nnull]

Lets just wipe it all and start over. The whole system stinks.

Re:

[account_deleted]

Comment removed based on user account deletion

Not far enough

[cpm99352]

Take a look at Mozilla's trusted CAs. It is a joke. They need to be harsher. First abuse cut them off. It also needs to be easier for users to remove trusted CA's from Firefox.

Read the account of how WoSign handed out the key to githib [google.com].

What?

[nyet]

As if WoCom and Startcom are any less trustworthy than the rest of the despicable commercial CA signers.

Permanent ban is the appropriate recourse

[LeftCoastThinker]

In an industry where trust is essentially the product, and critical to the system, Mozilla should have permanently banned them along with a lifetime ban on the executive level management. Punishment for abuse of the trust system should be harsh if an independent audit shows wrongdoing.

the linked explanation seems weak

[bloodhawk]

Reading through the incidents most of them are bugs or glitches with no malice intended, or at least no obvious malice with a little bit of neglect, all of which you could also claim about Mozilla browsers. Is there something not listed on the linked page to justify blocking them? By the same standard should users all be stopping using Mozilla browsers for the next 12 months till they are not the most insecure browser on the net?

Comment removed

[account_deleted]

Comment removed based on user account deletion