Mozilla's Proposed Conclusion: Game Over For WoSign and Startcom?

Reader Zocalo writes: Over the last several months Mozilla has been investigating a large number of breaches of what Mozilla deems to be acceptable CA protocols by the Chinese root CA WoSign and their perhaps better known subsidiary StartCom, whose acquisition by WoSign is one of the issues in question. Mozilla has now published their proposed solution (GoogleDocs link), and it's not looking good for WoSign and Startcom. Mozilla's position is that they have lost trust in WoSign and, by association StartCom, with a proposed action to give WoSign and StartCom a "timeout" by distrusting any certificates issued after a date to be determined in the near future for a period of one year, essentially preventing them issuing any certificates that will be trusted by Mozilla. Attempts to circumvent this by back-dating the valid-from date will result in an immediate and permanent revocation of trust, and there are some major actions required to re-establish that trust at the end of the time out as well.
This seems like a rather elegant, if somewhat draconian, solution to the issue of what to do when a CA steps out of line. Revoking trust for certificates issued after a given date does not invalidate existing certificates and thereby inconvenience their owners, but it does put a severe -- and potentially business-ending -- penalty on the CA in question. Basically, WoSign and StartCom will have a year where they cannot issue any new certificates that Mozilla will trust, and will also have to inform any existing customers that have certificate renewals due within that period they cannot do so and they will need to go else where -- hardly good PR!

What does Slashdot think? Is Mozilla going too far here, or is their proposal justified and reasonable given WoSign's actions, making a good template for potential future breaches of trust by root CAs, particularly in the wake of other CA trust breaches by the likes of CNNIC, DigiNotar, and Symantec?

I'm Confused

[MightyMartian]

Why in the hell would anyone trust certificates signed by a Chinese CA to begin with?

Re: I'm Confused

[n0creativity]

When I signed my organization up with StartCom (StartSSL) 18 months ago, I did a few hours of research in attempt to do my due diligence. Unfortunately I found absolutely no information tying StartCom to WoSign or any Chinese groups. Had I known who was actually behind StartCom, I would have found another solution. I'm sure that I'm not the only admin in this position.

Re: I'm Confused

[Kupo]

TFA mentions that:

8 Issue R: Purchase of StartCom (Nov 2015)

So it happened less than a year ago. What you researched 18 months ago was probably legit. The acquisition happened after your issuance. That said, having been a long time user of StartCom/StartSSL, I find this is depressing it's gone this route. But I've moved on to LetsEncrypt recently anyways, since the StartSSL website was a royal PITA to use, and LetsEncrypt works much more fluidly.

Sad, but time to move on, I guess.

Re:I'm Confused

[houstonbofh]

Why in the hell would anyone trust certificates signed by a Chinese CA to begin with?

A better question is how do you know if your certificates are issued by a Chinese company? They have a lot of cash, and are buying a lot of companies...

Re: I'm Confused

[vux984]

Agreed. I used to use StartSSL certs for several things over the last decade. And I too have moved to and endorse (for whatever little that's worth) LetsEncrypt.

The official lets encrypt client didn't meet any of my needs when i first switched although it may be better now (!?) Things seem to have been moving along over there.

I currently use the acme.sh client on linux and it's been solid and easy to use. I don't have anything positive or negative to say about the multitude of other options. And again... things have likely moved along a lot since i switched a year ago.

Re:I'm Confused

[harryk]

Your comment only confirms that you didn't read the well written paper from Mozilla, which clearly explained that WoSign purchased StartCom, an Israel based company.

Re:I'm Confused

[Midnight+Thunder]

Why in the hell would anyone trust certificates signed by a Chinese CA to begin with?

Maybe ask the question differently: Why would you trust any company? In the end it comes down to the chain of trust, for which due diligence is part of, along with the fact no flags have been raised at any point. The flag here is that there is behaviour to create doubt, but why should it just be 'because it is Chinese'?

It's not that bad.

[narcc]

It's a system built on trust. If a CA is anything less than completely trustworthy, it's useless. A year long suspension looks like a slap on the wrist, when the obvious action is to drop them completely.

Re:It's not that bad.

[houstonbofh]

I see it as too long for a warning (who can live a year with no income?) but to light to be serious. I really want to see more easy to use tools for users to drop authorities they do not trust. That will change things fast.

The entire security of the internet

[surfdaddy]

...depends upon the flawed root CA system. These companies have repeatedly failed to do their primary job of cooperating with established rules and protocols. They've failed to report breaches, they've issued certificates erroneously for other domains and then not reported it. This has been done repeatedly, and is the PRIMARY function of a CA. I don't consider it "draconian" at all, it seems pretty charitable for their timeout to be only one year instead of permanently. It's also an example to other certificate authorities that the rules actually have some teeth.

Re:I revoke all certificates distributed by Mozill

[NotInHere]

But you trust your OS vendor then?

Draconian?

[penguinoid]

What's draconian about not trusting someone proven to be untrustworthy? Is it because their only job was to be trustworthy?

Re:Draconian?

[Zocalo]

As the submitter, I pitched it as possibly draconian because they're basically proposing to kill the business of both WoSign and, more critically perhaps, Startcom. It might be presented as a one year timeout but, realistically, what business can survive for an entire year without actually being able to generate any revenue, and even if they survive that long have to jump through some pretty big hoops before they can start operations again - including having Mozilla appoint someone to audit them and their code? There's also the issue of Startcom - until around year ago they were their own (Israeli) business and a lot of people took advantage of Startcom's free certificates - they were in many ways the forerunner of Let's Encrypt in bringing SSL/TLS to the masses - and those users are going to get at least slightly singed as well.

Anyway, since the story isn't really the place for the writer's opinion and the comments are, for the the record I think that WoSign really screwed up, they deserve what they get, and this a good solution for this and future CA incidents that minimises the fallout on those customers who already have one of their certs. Also, once they finalise this, I think Mozilla's next step should be to write this up as policy and then try and get Google, Microsoft and Apple on board with it as an agreed template for multilaterally handling the inevitable future incidents. The whole root CA system is only as strong as its weakest link, and if it's going to survive as a viable means of establishing trust then when weak links are identified they need to be removed with prejudice as soon as possible - it's not just great power that requires great responsibility; it's trust too.

We need a web of trust

[GuB-42]

The CA model is broken.
The fundamental difference between a CA and a web of trust is that in a CA model, only the CA signs your certificate while in a WoT, the certificate can be signed by as many signers as you want, which mean you don't have a single point of failure.
For example StartCom may not be worth your entire trust but it is still better than nothing. And complimented by, say, a few independent, free authorities, it starts getting good because the attacker now have several different targets. This is not an option with CA as we have now, that's blind trust or nothing.

Re:We need a web of trust

[CrashNBrn]

All we should have is the "Registrar Model":
Register Domain, Get Domain & Certificate from Registrar.
Use Certificate to sign a "fingerprint" of your Server.
Register the signed "fingerprint" with your Domain Registrar.

Domain Lookups would include the signed fingerprint of your server.
Done.

Not enough

[b1ng0]

In my opinion, this does not go far enough. These entities are in the business of trust. Once you break that trust ONCE, it should be game over! No warnings, slap on the wrist, suspensions or other nonsense. You break that trust and you should be removed permanently.

Re:Not enough

[SumDog]

Comodo should have had all their keys revoked forever ago.

A shot at Ernst & Young also

[harryk]

I thought the 'punishment' was an interesting take to show a loss of trust, after a certain date and the ability to regain it after a period of time. I found it slightly more interesting that Mozilla would also choose to no longer accept audits conducted by Ernst & Young. That could potentially be huge as it shows (at least in some manner) that their auditors were not conducting a thorough audit or did not have the technical prowess to fully audit a CA.

Re:A shot at Ernst & Young also

[Zocalo]

It's actually "Ernst & Young (Hong Kong)" - i.e. "China" - specifically, rather than Ernst and Young in general, but that caught my eye as well. In fact, there's a lot of things about the write up that imply that Mozilla at least suspects some high level corruption on behalf of multiple actors in this but is just being politic about it, and especially so if you keep in mind what some of WoSign's "errors" might enable in terms of censorship and surveillance.

What?

[nyet]

As if WoCom and Startcom are any less trustworthy than the rest of the despicable commercial CA signers.

RFC 6698

[Ash-Fox]

If browser vendors were really serious about certificate security, we would have RFC 6698 as standard in browsers already.