Mozilla's Proposed Conclusion: Game Over For WoSign and Startcom?

Reader Zocalo writes: Over the last several months Mozilla has been investigating a large number of breaches of what Mozilla deems to be acceptable CA protocols by the Chinese root CA WoSign and their perhaps better known subsidiary StartCom, whose acquisition by WoSign is one of the issues in question. Mozilla has now published their proposed solution (GoogleDocs link), and it's not looking good for WoSign and Startcom. Mozilla's position is that they have lost trust in WoSign and, by association StartCom, with a proposed action to give WoSign and StartCom a "timeout" by distrusting any certificates issued after a date to be determined in the near future for a period of one year, essentially preventing them issuing any certificates that will be trusted by Mozilla. Attempts to circumvent this by back-dating the valid-from date will result in an immediate and permanent revocation of trust, and there are some major actions required to re-establish that trust at the end of the time out as well.
This seems like a rather elegant, if somewhat draconian, solution to the issue of what to do when a CA steps out of line. Revoking trust for certificates issued after a given date does not invalidate existing certificates and thereby inconvenience their owners, but it does put a severe -- and potentially business-ending -- penalty on the CA in question. Basically, WoSign and StartCom will have a year where they cannot issue any new certificates that Mozilla will trust, and will also have to inform any existing customers that have certificate renewals due within that period they cannot do so and they will need to go else where -- hardly good PR!

What does Slashdot think? Is Mozilla going too far here, or is their proposal justified and reasonable given WoSign's actions, making a good template for potential future breaches of trust by root CAs, particularly in the wake of other CA trust breaches by the likes of CNNIC, DigiNotar, and Symantec?

I'm Confused

[MightyMartian]

Why in the hell would anyone trust certificates signed by a Chinese CA to begin with?

Re: I'm Confused

[n0creativity]

When I signed my organization up with StartCom (StartSSL) 18 months ago, I did a few hours of research in attempt to do my due diligence. Unfortunately I found absolutely no information tying StartCom to WoSign or any Chinese groups. Had I known who was actually behind StartCom, I would have found another solution. I'm sure that I'm not the only admin in this position.

Re:I'm Confused

[decep]

Chinese citizens do not really have a choice and deserve attention to CAs that do not even deserve trust in China. The view is very different from our high moral towers in the west.

Re: I'm Confused

[Kupo]

TFA mentions that:

8 Issue R: Purchase of StartCom (Nov 2015)

So it happened less than a year ago. What you researched 18 months ago was probably legit. The acquisition happened after your issuance. That said, having been a long time user of StartCom/StartSSL, I find this is depressing it's gone this route. But I've moved on to LetsEncrypt recently anyways, since the StartSSL website was a royal PITA to use, and LetsEncrypt works much more fluidly.

Sad, but time to move on, I guess.

Re:I'm Confused

[houstonbofh]

Why in the hell would anyone trust certificates signed by a Chinese CA to begin with?

A better question is how do you know if your certificates are issued by a Chinese company? They have a lot of cash, and are buying a lot of companies...

Re: I'm Confused

[vux984]

Agreed. I used to use StartSSL certs for several things over the last decade. And I too have moved to and endorse (for whatever little that's worth) LetsEncrypt.

The official lets encrypt client didn't meet any of my needs when i first switched although it may be better now (!?) Things seem to have been moving along over there.

I currently use the acme.sh client on linux and it's been solid and easy to use. I don't have anything positive or negative to say about the multitude of other options. And again... things have likely moved along a lot since i switched a year ago.

Re:I'm Confused

[harryk]

Your comment only confirms that you didn't read the well written paper from Mozilla, which clearly explained that WoSign purchased StartCom, an Israel based company.

Re: I'm Confused

[tdailey]

I am very surprised at this news as well. I have used StartCom for years after first reading recommendations for them right here on SD. I was impressed with StartCom's thoroughness; they required uploads of bank or bill statement headers to show that my business was real & recognized, personal ID documents, photos, and they followed-up with a phone call to confirm that I was who I said I was. I felt they took their role as a trust verification entity seriously. I happily paid them every year. I am thankful that SD has posted this news. I am not impressed that StartCom did not inform their customers about this sale.

Re:I'm Confused

[Midnight+Thunder]

Why in the hell would anyone trust certificates signed by a Chinese CA to begin with?

Maybe ask the question differently: Why would you trust any company? In the end it comes down to the chain of trust, for which due diligence is part of, along with the fact no flags have been raised at any point. The flag here is that there is behaviour to create doubt, but why should it just be 'because it is Chinese'?

Re: I'm Confused

[realxmp]

Well they certainly got attention, shame that because of their actions it was the wrong kind. I do not particularly trust businesses from any country, as they all have security services and ways to lean on people. What I do trust is protocols, and if you break them you're out.

Re:I'm Confused

Why in the hell would anyone trust certificates signed by a American CA to begin with?

Re: I'm Confused

[TheRaven64]

How do you get S/MIME certs via Let's Encrypt?

Re: I'm Confused

[Rufty]

You aren't the only one.

Re:I'm Confused

[AmiMoJo]

Indeed, if we are talking about untrustworthy countries, most places are looking kinda bad these days. The US has some really bad laws (DMCA etc.) and registrars based there are likely infiltrated by or actively cooperating with the NSA. UK registrars have similar issues withe GCHQ.

Re: I'm Confused

You don't. Let's Encrypt only offers certificates which meet all the following criteria:

* Certificates are only for TLS Server / TLS Client EKU. No S/MIME, no code signing, nothing but TLS.
* All names must be Internet Fully Qualified Domain Names (no lone hostnames, no raw IP addresses, no made-up TLDs, etc.)
* Names must be A-labels, which means no IDNs, just A-Z 0-9 dashes, dots etc. (they plan to allow IDNs but the date keeps getting pushed back, don't count on it soon)
* You must prove control over each name, either from public DNS (with DNSSEC if that's enabled for your domain) or with a web server contactable from that name over the public Internet
* Your keys must be 2048bit or more RSA, or from a short list of permitted ECC curves
* Signatures will use SHA256, and the Issuer always uses RSA
* No US military .mil names (this is a requirement from their cross-signatory IdenTrust and may go away some day)
* No "high risk" names, which belong to major financial institutions and some key Internet brands.
* No names which fail a "Google Safe Browsing" check (basically if your site is infected with Malware, fix that first).

But for the vast majority of people none of that is a problem. If you need S/MIME, you're going to want to call another CA.

Re: I'm Confused

[bill_mcgonigle]

Yep. A few years ago I got grilled by a (nice) guy in Israel about my certs, even though I had gotten all the answers right on their notary certification test. It was tougher than most "Green bar" certs are today. Which is how a competent CA works.

RIP old Startcomm.

Re:I'm Confused

Why in the hell would anyone trust certificates signed by a Chinese CA to begin with?

Because you already trust them by having them to produce most of everything you have in the office and in the home. Pick anything at random, there's a very high probability that it will be "Made in China".
Sure, a lot of laptops have that "Designed in USA" thing. How cute.

Re: I'm Confused

[ChristophWeber]

I currently use the acme.sh client on linux and it's been solid and easy to use. I don't have anything positive or negative to say about the multitude of other options. And again... things have likely moved along a lot since i switched a year ago.

At Slashdot we use the acme tool as well, rolling it out now across our infrastructure. Dependable, quick and easy.

Re: I'm Confused

[omnichad]

But I've moved on to LetsEncrypt

Hence Startcom's motivation to sell out - there's no good reason to compete in that space.

Re:I'm Confused

[Midnight+Thunder]

Indeed, if we are talking about untrustworthy countries, most places are looking kinda bad these days. The US has some really bad laws (DMCA etc.) and registrars based there are likely infiltrated by or actively cooperating with the NSA. UK registrars have similar issues withe GCHQ.

The other issue, is related to privacy and whether your 'trusted' registrar chain is sharing information with other entities, for which you did not explicitly agree to, in a clear and understandable contract?

Re: I'm Confused

[ModernGeek]

I've started looking at Root and Intermediate CAs country of origin, and found that a lot of the big name guys don't actually reside within the US, and the Intermediate one might be in a different country. Really whenever inspecting a certificate within a browser, it might be a good idea for the interfaces to put pictures of little flags next to each one as to better identify their source.

Re: I'm Confused

[TheRaven64]

I did, I went to StartCom, who offer free S/MIME certs, and free TLS certs that are valid for one year. Now, apparently, Mozilla wants to force me to move to a different CA, but the one that they're backing doesn't provide the same set of certs.

It's not that bad.

[narcc]

It's a system built on trust. If a CA is anything less than completely trustworthy, it's useless. A year long suspension looks like a slap on the wrist, when the obvious action is to drop them completely.

Re:It's not that bad.

[houstonbofh]

I see it as too long for a warning (who can live a year with no income?) but to light to be serious. I really want to see more easy to use tools for users to drop authorities they do not trust. That will change things fast.

Re:It's not that bad.

[mikeiver1]

Totally agree, Trust is everything in this case and they are very untrustworthy. Guess I need to go through my certificates and remove those that are issued by these two companies.

Re:It's not that bad.

[SumDog]

The SSL CA system has been broken for years. Remember Comodo and Iran?

I know companies won't be going to LetsEncrypt anytime soon. They'll pay the premium for that little green icon (or is it blue. Fuck I don't pay attention anymore).

LetsEncrypt basically does the bare minimum that you can honestly do with identity verification today: prove the owner of the domain is really who they say they are. If you're expecting more from SSL-CAs, you need a dose of reality.

Re:It's not that bad.

[Zocalo]

You've read the list of hoops that they'll have to jump through to get re-listed, right? Assuming they survive the suspension to even try and get re-listed that is. The real kicker is that they have to be audited by an agency appointed by Mozilla before that happens, which doesn't seem like something they'd be too keen on at the best of times. If you look at some of the issues Mozilla has with them in the light of the normal modus operandi of the Chinese government and it would seem the chances of them actually requesting to have a someone outside their control come along and subject them to an audit is pretty close to zero.

Re:It's not that bad.

FYI, if you look at the later coverage of the Comodo breach, it turns out it was actually a single kid. There is a manifesto on one of the paste sites, which distinctly attacks the media for being so quick to blame the Iranian government instead of just a solitary individual.

Re:It's not that bad.

[marcansoft]

It's not a year-long suspension. It's a permanent suspension of trust in their current roots. They can, however, re-apply after one year - with extra auditing over what is normally required - and if and when they pass that they may be let in again. If they do nothing, they don't get back in for free after a year.

Re:It's not that bad.

Playing devil's advocate: nothing is actually stopping them from re-applying under a different business name and with different owners. I think most of us understand how important a part being able to issue SSL certs play in terms of censorship and spying etc.

In light of the importance of trust of CAs, I actually think that they got of light...

Re:It's not that bad.

[stooo]

>> The real kicker is that they have to be audited by an agency appointed by Mozilla

Many and continuous Audits are normal and needed for a CA. why do you think it's too much ?

Re:It's not that bad.

[TheRaven64]

And yet a CA that was seriously compromised by 'a single kid' is still trusted by Mozilla, whereas the CA that provides the best competition for Mozilla-backed Let's Encrypt is subject to sanctions.

Re:It's not that bad.

Not getting to choose your auditor changes the relationship with the auditor. This auditor will work for Mozilla, not for WoSign, though WoSign has to pay. Their duty is to tell Mozilla if there's a problem, not to work with WoSign to find a way to give it a clean bill of health. I believe all the CA audits should work that way, I have written at length about this elsewhere.

In fact I suspect _financial_ audits ought to be changed too. The Big Four (one of which, EY Hong Kong, Mozilla openly criticised for its role in this mess) aren't doing the job they're paid to do. I believe they're capable, given the proper motivation, but I would also be happy to be proved wrong and see them all destroyed. We can't keep going along like this though.

A big American company wouldn't get the same..

I don't think a big American company would get the same treatment for making the same mistakes.

Re: A big American company wouldn't get the same..

Find an example of untrust worthy CA that got no punishment before?

Chinese always cry foul when their corruption is found out.

Re: A big American company wouldn't get the same..

Symantec, multiple times.

Re: A big American company wouldn't get the same..

[stooo]

Americcans don't have to cry foul when their corruption is found out because it's simply pushed under the carpet.

Re: A big American company wouldn't get the same..

[TheRaven64]

Comodo.

SSL certificates are almost a failed system

Long live SSL? Or should we quicken its demise and end the empire of SSL certificate charges?

Who in security thinks they are trustable? Too many breaches of trust and who knows how many covered up ones by state actors?

Re:SSL certificates are almost a failed system

[houstonbofh]

Almost? What do you need for failure?

I revoke all certificates distributed by Mozilla

I don't know these CAs, I don't trust them, and Mozilla shouldn't be in the business of deciding who I trust by default.

The entire security of the internet

[surfdaddy]

...depends upon the flawed root CA system. These companies have repeatedly failed to do their primary job of cooperating with established rules and protocols. They've failed to report breaches, they've issued certificates erroneously for other domains and then not reported it. This has been done repeatedly, and is the PRIMARY function of a CA. I don't consider it "draconian" at all, it seems pretty charitable for their timeout to be only one year instead of permanently. It's also an example to other certificate authorities that the rules actually have some teeth.

Re:The entire security of the internet

[BenFranske]

I think it's a substantial exaggeration to say that the entire security of the Internet relies on the root CA system. There are a lot of organizations and people running encrypted communications over the Internet that are PSK or internally signed certificates. Think VPN connections. While a lot of public services such as web servers, email servers do rely on a very flawed CA system my point is that even if the entire CA system crumbled (which would be bad as I haven't seen any legitimate proposals about what to replace it with) that would not be the end of security on the Internet.

A great idea!

Sure it will cause a number of customers pain in having to search for another provider and again yes it will cause major pain to WoSign and StartCom, however in an age where secure communications are becoming more and more pivotal to ensuring a safer experience we need to make sure that issuers are aware that they also have a responsibility to uphold.
Sure if an end-user or a web host fails to secure their communication it should be on them, but when a provider fails to provide a secure service or are acting in a questionable manner then we need to make sure that they are held accountable too!

Re:A great idea!

That's an optimistic assessment of Mozilla's actual influence on the market. Firefox has been circling the drain for a couple years already.

http://www.ghacks.net/2016/06/09/why-firefox-will-continue-to-lose-market-share/

Re:A great idea!

[higuita]

what make you think that cutting off even 15% of market is something that people can ignore?
also, what makes you think that google, microsoft and apple will not do the same thing? this was found by mozilla, but all browsers are usually in sync on the CA matters

The real solution is simple.

Look, I realize the population is chunked up into groups of zombie types but...

Those groups can certainly teach such a simple process to their minions.

Just use a simple ssh first try auth scheme.

Self sign certificates and request authorization on the first try. If it changes say hey somethings wrong, the websites or ssl servers can add a message that says it's a new certificate.

You could even go as far as having peer groups for trusted certs, more like a blockchain than a signing authority though.

You could also use something like Electrums hash to keywords thing for letting people keep track of their keys reasonably but it's probably easier to just show them the meta info held in the key saying the url or ssl socket.

Seems simple, I can't think of a good reason a very authority would be made in the first place. Maybe they didn't know or didn't slow up and think or maybe they were malicious. Either way, fix it right.

Re:The real solution is simple.

[darkain]

And to the average user, what you're suggesting is just another "click [OK] to continue" prompt on every web site that'll be ignored due to the commoner's lack of understanding of information security. Plus when you add LetsEncrypts recommendation of expiring certs every 30 days (they max at 90, but recommend replacing them sooner), that means at least once a month users will be prompted for a new cert. Even as an informed user, how can you be reasonably sure the new cert is coming from the intended source and not a MitM attack?

Re:The real solution is simple.

Let's Encrypt recommends replacing after 60 days, and only for operational convenience. Certbot (which used to be the Let's Encrypt client but was renamed and moved to EFF itself to make the difference between the client and the CA clearer) won't try to renew certificates with more than 30 days _left_ on them by default for this reason.

Re:The real solution is simple.

[tepples]

The model you propose is called trust on first use (TOFU). TOFU is vulnerable to a man in the middle (MITM) on the first connection, but this can be worked around with the Perspectives add-on, which checks the server through multiple routes through the Internet to see if the certificate matches.

Re:The real solution is simple.

Not a problem. Simply have the user trust a site-specific self-signed CA (or intermediate) cert on first visit instead. Ideally trust would default to the context of that site only, and use HPKP on the CA. You eliminate entire classes of MitM attacks and you can change your cert every hour if you like.

Re:I revoke all certificates distributed by Mozill

[NotInHere]

But you trust your OS vendor then?

Draconian?

[penguinoid]

What's draconian about not trusting someone proven to be untrustworthy? Is it because their only job was to be trustworthy?

Re:Draconian?

[Zocalo]

As the submitter, I pitched it as possibly draconian because they're basically proposing to kill the business of both WoSign and, more critically perhaps, Startcom. It might be presented as a one year timeout but, realistically, what business can survive for an entire year without actually being able to generate any revenue, and even if they survive that long have to jump through some pretty big hoops before they can start operations again - including having Mozilla appoint someone to audit them and their code? There's also the issue of Startcom - until around year ago they were their own (Israeli) business and a lot of people took advantage of Startcom's free certificates - they were in many ways the forerunner of Let's Encrypt in bringing SSL/TLS to the masses - and those users are going to get at least slightly singed as well.

Anyway, since the story isn't really the place for the writer's opinion and the comments are, for the the record I think that WoSign really screwed up, they deserve what they get, and this a good solution for this and future CA incidents that minimises the fallout on those customers who already have one of their certs. Also, once they finalise this, I think Mozilla's next step should be to write this up as policy and then try and get Google, Microsoft and Apple on board with it as an agreed template for multilaterally handling the inevitable future incidents. The whole root CA system is only as strong as its weakest link, and if it's going to survive as a viable means of establishing trust then when weak links are identified they need to be removed with prejudice as soon as possible - it's not just great power that requires great responsibility; it's trust too.

Re:Draconian?

[h4ck7h3p14n37]

I pitched it as possibly draconian because they're basically proposing to kill the business of both WoSign and, more critically perhaps, Startcom. It might be presented as a one year timeout but, realistically, what business can survive for an entire year without actually being able to generate any revenue, and even if they survive that long have to jump through some pretty big hoops before they can start operations again - including having Mozilla appoint someone to audit them and their code?

What obligation does Mozilla have to include anyone's CA certificate with their products?

Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands.

This doesn't mean that WoSign and Startcom can't issue certificates, it just means that end-users will need to do the extra step of importing and trusting their root certificates. You can view that as a bad thing, but in my opinion browsers currently ship with way too many trusted CA's. I have 176 separate root CA's in my keychain at the moment. People should be used to the process of adding additional certificates as needed instead of getting a huge set of defaults.

We need a web of trust

[GuB-42]

The CA model is broken.
The fundamental difference between a CA and a web of trust is that in a CA model, only the CA signs your certificate while in a WoT, the certificate can be signed by as many signers as you want, which mean you don't have a single point of failure.
For example StartCom may not be worth your entire trust but it is still better than nothing. And complimented by, say, a few independent, free authorities, it starts getting good because the attacker now have several different targets. This is not an option with CA as we have now, that's blind trust or nothing.

Re:We need a web of trust

[CrashNBrn]

All we should have is the "Registrar Model":
Register Domain, Get Domain & Certificate from Registrar.
Use Certificate to sign a "fingerprint" of your Server.
Register the signed "fingerprint" with your Domain Registrar.

Domain Lookups would include the signed fingerprint of your server.
Done.

Re:We need a web of trust

[tepples]

There's one way to emulate that in the current model:

• Register domain.
• Generate keypair on your server. The CSR, derived from the public key, acts as a fingerprint.
• Upload CSR to CA owned by registrar.
• Registrar-CA issues certificate.
• Use HTTP Public Key Pinning to ensure only your registrar can issue certificates.

In theory, there's another way:

• Register domain.
• Generate keypair on your server.
• Add a self-signed certificate to your domain using a DANE TLSA record.
• Sign your domain with DNSSEC.

But as I understand it, the big problem with DNSSEC right now is that the root zone is signed with only a 1024-bit key, and for this reason, browser makers are dragging their feet on recognizing DANE.

Re:We need a web of trust

[stooo]

>> For example StartCom may not be worth your entire trust but it is still better than nothing.
No. Corrupt CAs are worthless

Re:We need a web of trust

[AmiMoJo]

How does that help identify when a web site is genuine? Currently when I go to my bank's web site I can confirm that the certificate belongs to them and that it was verified by a (hopefully) trustworthy third party. I'm fairly sure I'm not entering my details into a fake site.

What we need is two identity verification methods. One verifies the server for the purposes of setting up an encrypted link. The other verifies the identity of the site owner for the purposes of doing business or sharing secrets with them.

Re:We need a web of trust

[omnichad]

StartCom may not be worth your entire trust but it is still better than nothing

A false sense of security is actually worse than nothing.

Damnit, I'm on Startcom

[Indy1]

Guess I need to get my certs moved over to someone else. Fortunately there's some other free options that look promising.

https://letsencrypt.org/

Re:Damnit, I'm on Startcom

[higuita]

read the article: only NEW certs will be distrust, existent ones will keep work, until they expire.
In a year, if they behave and follow all rules, they MAY be trusted again.... if they keep doing wrong things, they will be removed.
basically, mozilla removed the CA market from then for one year as penalty

Re:Damnit, I'm on Startcom

[kav2k]

That's one option. Are there others left?

I was only aware of WoSign (which I happened to start using, before LetsEncrypt was released) and StartCom as alternatives for free trusted SSL certs.

Re:Damnit, I'm on Startcom

[kav2k]

Note: if they cheat again, trust in existing ones will be pulled without warning.

Re:Damnit, I'm on Startcom

Ahem, right now every reader of this site is deleting trust in any and all certificates from those CAs.

Re: Damnit, I'm on Startcom

[heypete]

For completely free certs? Those are the only ones I know.

Sites like ssls.com sells, among others, Comodo DV certs for like $5/year. Not free, but close enough for most purposes.

No CA is the New Black

How about don't use a CA at all? Self sign your certificates in your organization. Expect everyone you do business with to verify and install your certs rather than trusting Mozilla to trust a third party. Oh... and staff up your help desk to answer questions like, "I didn't need to do this with Amazon. Why are you guys so stupid?"

Re:No CA is the New Black

[Ash-Fox]

How about don't use a CA at all? Self sign your certificates in your organization. Expect everyone you do business with to verify and install your certs rather than trusting Mozilla to trust a third party. Oh... and staff up your help desk to answer questions like, "I didn't need to do this with Amazon. Why are you guys so stupid?"

If browser vendors bothered implementing RFC 6698, we wouldn't need CAs.

Re: No CA is the New Black

Yeah, because that will work on a public facing website.

Seems fair

[Improv]

If you can't remove problematic certs by a vendor or penalise them for misdeeds, then they have no constraints. User trust is more important.

Not enough

[b1ng0]

In my opinion, this does not go far enough. These entities are in the business of trust. Once you break that trust ONCE, it should be game over! No warnings, slap on the wrist, suspensions or other nonsense. You break that trust and you should be removed permanently.

Re:Not enough

[SumDog]

Comodo should have had all their keys revoked forever ago.

Re:Not enough

[StandardCell]

You're 100% right. Anything but the death penalty for a CA after thorough independent investigation send the message that this behavior will be tolerated in some fashion. That should never ever be the case with a CA in particular, or the viability of web commerce and trusted information exchange would be at substantial risk.

We have enough security problems with clients, data breaches and end user stupidity to have to deal with this.

Re:Not enough

This could also be a way for people to consider Firefox again. If they are actually serious about keeping people safe by policing the CAs, rather than rubber-stamping CAs, it starts looking better as an alternative.

Re:Not enough

[marcansoft]

Speaking of Comodo... (bonus: WoSign owner also tries to step in and makes a fool of himself).

Going after the Chinese

what about the whole Bluecoat thing? Or when the other big CA's did wrong? It's just an issue when it's a non-U.S. based CA, is it?

Re:Going after the Chinese

Waa waa. Go back home Mr. China man.

Re:Going after the Chinese

[stooo]

Yes. American CA are corrupt by law.

Re:Going after the Chinese

Yes these Chinese CAs have fucked up and been shown to be untrustworty.
But as the OP mentioned so have several US based companies ( Bluecoat and Comodo for starters).
But hey, let's sweep that under the carpet and pretend that never happened so we can paint the USA in a good light, and the Chinese in bad one.

Grow up you ignorant flag waving twat.

distrust them

[Lehk228]

go into advanced settings and distrust those to CA's, it takes less than a minute.

Re:distrust them

[higuita]

no need for that... firefox will distrust NEW certs, but keep old ones working (minus this 62 back issued certs)
there is no info to make the other certs invalid, you will be only breaking random Innocent sites

Are they big enough?

[mhkohne]

Is Mozilla big enough (in the form of Firefox) for the rouge CA in question to care what Mozilla does? I've no idea whose numbers are reliable, but the first set I found indicated that Firefox has less than an 8 percent share of the browser market, with IE @ ~27% and Chrome @ ~53. If that's even close to true, is Mozilla taking an action like this relevant? Or will it just push people into dropping Firefox?

Re:Are they big enough?

[higuita]

yes. for 3 reasons:
-when you get a CA, you want it to work in all browsers... market share may not be high, but it is still a very popular browser. spread the word that the site do not work in all browsers is enough to cause panic in many people

- mozilla, microsoft, google and apple are usually in sync about CA issues. This was found by mozilla and they decided the action they will take... other companies will now analyze this and take their own actions. As mozilla action is a good one, it may be accepted by the other companies as well. The political power of mozilla is a lot higher than the 8%

- MS Edge have 5%, less than firefox... would you ignore it? market share numbers change a lot across countries, sites, user type and type of device. Mozilla on mobile have a very low market share and higher on desktop... all this is just junk numbers, when users start to complain, the perceived small market share number seems to increase by magic :)

Re:Are they big enough?

[Zocalo]

Firefox alone, possibly not. However, Mozilla's certificate store is also the one commonly used by NSS on Linux which might not be so big on the web browser front, but that's going to cause a lot of problems for people trying to use any post-revocation WoSign/Startcom certificates to send email through Linux gateways using TLS. Also, while I didn't mention it in the submission since it's far from certain, there's a reason the response is on GoogleDocs; one of the authors (Ryan Sleevi) is a Google employee heavily involved in CA management for Chromium, so it's possibly just a matter of time before Google Chrome drops them as well. Historically on CA trust violations Mozilla, Google and Microsoft have generally all done the same thing in roughly the same timeframe, so if both Mozilla and Google are going to revoke...

Re:Are they big enough?

[ChoGGi]

If you noticed at the bottom of the doc it mentions Ryan Sleevi (also see https://wiki.mozilla.org/CA:Po...)
So at least in some fashion Google is involved as well

Re: Are they big enough?

Firefox is over 50% of the German market.
If you only care about the Asian market you don't need to support firefox, but you definitely are essentially giving up the European market if you ignore Firefox.

Re:Are they big enough?

Google actually uses Mozilla's certificate list for Android. So yea, this means all android devices updated after the to be determined date, will not trust the cert.

Impact

[DigiAngel69]

Which will impact less then 8% of the market: https://www.netmarketshare.com...

Re:Impact

[marcansoft]

Until Google does exactly the same thing in Chrome... which they probably will, as one of the authors of that document works for Google.

read the article: only NEW certs will be distrust

[higuita]

please read the article... only the NEW certs will be distrust, old ones will keep valid until they expire. You might have problems only on renews...

If they behave well and follow all the rules, in one year they may be trusted again... if they keep trying to issue certs using past dates, they will be totally removed and if they ever try to reenter the CA business, they will have to follow again all the audits, tests, checks, etc... takes ages, log of money and in the end, mozilla can still say "NO"

A shot at Ernst & Young also

[harryk]

I thought the 'punishment' was an interesting take to show a loss of trust, after a certain date and the ability to regain it after a period of time. I found it slightly more interesting that Mozilla would also choose to no longer accept audits conducted by Ernst & Young. That could potentially be huge as it shows (at least in some manner) that their auditors were not conducting a thorough audit or did not have the technical prowess to fully audit a CA.

Re:A shot at Ernst & Young also

Exactly my thoughts. Go look at globalsign/symantec/comodo in cn/hk - they use E&Y as well. This has much larger ramifications...

Re:A shot at Ernst & Young also

[Zocalo]

It's actually "Ernst & Young (Hong Kong)" - i.e. "China" - specifically, rather than Ernst and Young in general, but that caught my eye as well. In fact, there's a lot of things about the write up that imply that Mozilla at least suspects some high level corruption on behalf of multiple actors in this but is just being politic about it, and especially so if you keep in mind what some of WoSign's "errors" might enable in terms of censorship and surveillance.

Re:A shot at Ernst & Young also

EY Hong Kong. Each EY business is notionally separate. Eyebrows will be raised, but this doesn't _on its own_ affect audits from say, EY in the US or UK.

Re:A shot at Ernst & Young also

[SlashdotOgre]

Personally I lost my faith in E&Y after I saw some of their creative accounting techniques around the sale and depreciation of virtual goods for companies like Zygna.

Re:A shot at Ernst & Young also

In fact, there's a lot of things about the write up that imply that Mozilla at least suspects some high level corruption on behalf of multiple actors in this but is just being politic about it

Politic likely has little to do with it. I suspect Mozilla (lawyers) are trying to stay on the defensible side of any potential lawsuit.

The whole system is broken

[Sax+Russell+5449D29A]

It's not just a few CAs, it's the whole system. The CA system is built on trust and there has been no trust left in the system in years. The whole idea of encrypted communications between web browsers and web servers needs to be reworked and somehow decentralized so that rogue CAs will eventually die out.

Re:The whole system is broken

so that rogue CAs will eventually die out.

So that all CAs will eventually die out - the whole system sucks.

Re:The whole system is broken

[nnull]

Lets just wipe it all and start over. The whole system stinks.

Re:The whole system is broken

When the next generation TLS-like tech will be implemented, I'm pretty sure that in light of e.g. Snowden's revelations, the decentralized approach will be on the table. And that it will indeed not be based on trust anymore, but active verification and validation.

Re:The whole system is broken

[Ash-Fox]

Don't need to, just get browser vendors to implement support for RFC 6698.

Expensive & hard to coordinate

[StandardCell]

The certificate business is big money. It's possible some companies may be able to purchase certs from multiple vendors but it adds up very quickly, and coordinating activities like expiration dates have to be aligned among the vendors which is tricky with multiple large contracts. Only the biggest companies will be able to do this, leaving the rest to single and/or smaller CAs.

Yet does that really make an entity's presence on the public Internet inherently more trustworthy? If I was to get certs from Verisign, Thawte and Let's Encrypt, that's not saying much since Let's Encrypt does DV and not EV certs. If you have a breach of one CA but not the other, who do you trust and why? What does that result even mean? Best two out of three or three of five? It's not entirely out of the realm of possibility that smaller CAs could be simultaneously compromised, which is why the larger companies mostly go to that company based in Northern Virginia that has been rock solid if nothing else.

I think smaller lesser-known entities like these Chinese CAs will be perpetually more risky to obtain certs from. It's just what it is. As you go up the chain the certs get progressively more expensive but more trusted as well. As long as there is a commercial interest in selling certs, I don't think the current situation will change. It's just another warning just like Diginotar and others have demonstrated and Mozilla is IMO being overly lenient and perpetuating the problems currently supporting the "list of trusted CAs in the browser" model.

Better rouge than dead?

They may be rouge, but their money's green!

Not far enough

[cpm99352]

Take a look at Mozilla's trusted CAs. It is a joke. They need to be harsher. First abuse cut them off. It also needs to be easier for users to remove trusted CA's from Firefox.

Read the account of how WoSign handed out the key to githib.

What?

[nyet]

As if WoCom and Startcom are any less trustworthy than the rest of the despicable commercial CA signers.

Permanent ban is the appropriate recourse

[LeftCoastThinker]

In an industry where trust is essentially the product, and critical to the system, Mozilla should have permanently banned them along with a lifetime ban on the executive level management. Punishment for abuse of the trust system should be harsh if an independent audit shows wrongdoing.

the linked explanation seems weak

[bloodhawk]

Reading through the incidents most of them are bugs or glitches with no malice intended, or at least no obvious malice with a little bit of neglect, all of which you could also claim about Mozilla browsers. Is there something not listed on the linked page to justify blocking them? By the same standard should users all be stopping using Mozilla browsers for the next 12 months till they are not the most insecure browser on the net?

Re:the linked explanation seems weak

a very interesting point. I as an ISP am getting sick of my users being breached by bugs in Mozilla, do I block or redirect all traffic with a l7 packet fingerprint indicating they are using mozilla? the temptation is significant. perhaps i no longer trust carrying mozilla traffic across my network.

RFC 6698

[Ash-Fox]

If browser vendors were really serious about certificate security, we would have RFC 6698 as standard in browsers already.

Mozilla not going far enough

I removed trust for all Startcom certificates on my machine soon after reading this piece. I did not find WoSign roots, so I'm guessing their path leads up to Startcom.

One of these days I will have to spend some time and find a list of the "good" certificates (track record of zero policy breaches), and only leave those on my machine.