Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla's Proposed Conclusion: Game Over For WoSign and Startcom? (google.com)

Posted by msmash on from the something-needs-to-be-done dept.

Reader Zocalo writes: Over the last several months Mozilla has been investigating a large number of breaches of what Mozilla deems to be acceptable CA protocols by the Chinese root CA WoSign and their perhaps better known subsidiary StartCom, whose acquisition by WoSign is one of the issues in question. Mozilla has now published their proposed solution (GoogleDocs link), and it's not looking good for WoSign and Startcom. Mozilla's position is that they have lost trust in WoSign and, by association StartCom, with a proposed action to give WoSign and StartCom a "timeout" by distrusting any certificates issued after a date to be determined in the near future for a period of one year, essentially preventing them issuing any certificates that will be trusted by Mozilla. Attempts to circumvent this by back-dating the valid-from date will result in an immediate and permanent revocation of trust, and there are some major actions required to re-establish that trust at the end of the time out as well.
This seems like a rather elegant, if somewhat draconian, solution to the issue of what to do when a CA steps out of line. Revoking trust for certificates issued after a given date does not invalidate existing certificates and thereby inconvenience their owners, but it does put a severe -- and potentially business-ending -- penalty on the CA in question. Basically, WoSign and StartCom will have a year where they cannot issue any new certificates that Mozilla will trust, and will also have to inform any existing customers that have certificate renewals due within that period they cannot do so and they will need to go else where -- hardly good PR!

What does Slashdot think? Is Mozilla going too far here, or is their proposal justified and reasonable given WoSign's actions, making a good template for potential future breaches of trust by root CAs, particularly in the wake of other CA trust breaches by the likes of CNNIC, DigiNotar, and Symantec?

9 of 111 comments (clear)

  1. I'm Confused by MightyMartian · · Score: 4, Insightful

    Why in the hell would anyone trust certificates signed by a Chinese CA to begin with?

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
    1. Re: I'm Confused by n0creativity · · Score: 5, Interesting

      When I signed my organization up with StartCom (StartSSL) 18 months ago, I did a few hours of research in attempt to do my due diligence. Unfortunately I found absolutely no information tying StartCom to WoSign or any Chinese groups. Had I known who was actually behind StartCom, I would have found another solution. I'm sure that I'm not the only admin in this position.

    2. Re: I'm Confused by Kupo · · Score: 5, Informative

      TFA mentions that:

      8 Issue R: Purchase of StartCom (Nov 2015)

      So it happened less than a year ago. What you researched 18 months ago was probably legit. The acquisition happened after your issuance. That said, having been a long time user of StartCom/StartSSL, I find this is depressing it's gone this route. But I've moved on to LetsEncrypt recently anyways, since the StartSSL website was a royal PITA to use, and LetsEncrypt works much more fluidly.

      Sad, but time to move on, I guess.

  2. It's not that bad. by narcc · · Score: 5, Insightful

    It's a system built on trust. If a CA is anything less than completely trustworthy, it's useless. A year long suspension looks like a slap on the wrist, when the obvious action is to drop them completely.

    --
    Required reading for internet skeptics
  3. The entire security of the internet by surfdaddy · · Score: 5, Insightful

    ...depends upon the flawed root CA system. These companies have repeatedly failed to do their primary job of cooperating with established rules and protocols. They've failed to report breaches, they've issued certificates erroneously for other domains and then not reported it. This has been done repeatedly, and is the PRIMARY function of a CA. I don't consider it "draconian" at all, it seems pretty charitable for their timeout to be only one year instead of permanently. It's also an example to other certificate authorities that the rules actually have some teeth.

  4. Not enough by b1ng0 · · Score: 4, Insightful

    In my opinion, this does not go far enough. These entities are in the business of trust. Once you break that trust ONCE, it should be game over! No warnings, slap on the wrist, suspensions or other nonsense. You break that trust and you should be removed permanently.

  5. Re:Draconian? by Zocalo · · Score: 4, Interesting

    As the submitter, I pitched it as possibly draconian because they're basically proposing to kill the business of both WoSign and, more critically perhaps, Startcom. It might be presented as a one year timeout but, realistically, what business can survive for an entire year without actually being able to generate any revenue, and even if they survive that long have to jump through some pretty big hoops before they can start operations again - including having Mozilla appoint someone to audit them and their code? There's also the issue of Startcom - until around year ago they were their own (Israeli) business and a lot of people took advantage of Startcom's free certificates - they were in many ways the forerunner of Let's Encrypt in bringing SSL/TLS to the masses - and those users are going to get at least slightly singed as well.

    Anyway, since the story isn't really the place for the writer's opinion and the comments are, for the the record I think that WoSign really screwed up, they deserve what they get, and this a good solution for this and future CA incidents that minimises the fallout on those customers who already have one of their certs. Also, once they finalise this, I think Mozilla's next step should be to write this up as policy and then try and get Google, Microsoft and Apple on board with it as an agreed template for multilaterally handling the inevitable future incidents. The whole root CA system is only as strong as its weakest link, and if it's going to survive as a viable means of establishing trust then when weak links are identified they need to be removed with prejudice as soon as possible - it's not just great power that requires great responsibility; it's trust too.

    --
    UNIX? They're not even circumcised! Savages!
  6. A shot at Ernst & Young also by harryk · · Score: 4, Interesting

    I thought the 'punishment' was an interesting take to show a loss of trust, after a certain date and the ability to regain it after a period of time. I found it slightly more interesting that Mozilla would also choose to no longer accept audits conducted by Ernst & Young. That could potentially be huge as it shows (at least in some manner) that their auditors were not conducting a thorough audit or did not have the technical prowess to fully audit a CA.

    --
    think before you write, it'll save me moderator points.
    1. Re:A shot at Ernst & Young also by Zocalo · · Score: 4, Informative

      It's actually "Ernst & Young (Hong Kong)" - i.e. "China" - specifically, rather than Ernst and Young in general, but that caught my eye as well. In fact, there's a lot of things about the write up that imply that Mozilla at least suspects some high level corruption on behalf of multiple actors in this but is just being politic about it, and especially so if you keep in mind what some of WoSign's "errors" might enable in terms of censorship and surveillance.

      --
      UNIX? They're not even circumcised! Savages!