Google Joins Mozilla and Apple In Distrusting WoSign and StartCom Certificates

itwbennett quotes a report from CSO Online: Following similar decisions by Mozilla and Apple, Google plans to reject new digital certificates issued by certificate authorities WoSign and StartCom because they violated industry rules and best practices. The ban will go into effect in Chrome version 56, which is currently in the dev release channel, and will apply to all certificates issued by the two authorities after October 21. Browsers rely on digital certificates to verify the identity of websites and to establish encrypted connections with them. Certificates issued before October 21 will continue to be trusted as long as they're published to the public Certificate Transparency logs or have been issued to a limited set of domains owned by known WoSign and StartCom customers. "Due to a number of technical limitations and concerns, Google Chrome is unable to trust all pre-existing certificates while ensuring our users are sufficiently protected from further misissuance," said Chrome security team member Andrew Whalley in a blog post Monday. "As a result of these changes, customers of WoSign and StartCom may find their certificates no longer work in Chrome 56. Sites that find themselves on the whitelist will be able to request early removal once they've transitioned to new certificates," Whalley said. "Any attempt by WoSign or StartCom to circumvent these controls will result in immediate and complete removal of trust."

Re:pre-existing

[guruevi]

It's complicated. They're basically whitelisting all StartCom certificates before a certain issue date. However, WoSign silently took over StartCom and started sharing infrastructure and keys for about a year. When Mozilla investigated them for backdating weak certificates, they split up the operations again trying to 'fix' the situation and fired WoSign's CEO.

Since they were sharing infrastructure for about a year and it's not sure how many certificates were backdated a browser can't be sure when WoSign's key(s) and StartCom's key(s) were used to sign the certificate and whether or not it was backdated.

So they can't "trust all pre-existing certificates" but they can trust certain ones (the ones they are sure were definitely issued and signed by StartCom before they were taken over).

Re: Alternatives?

[viperidaenz]

No client certificates, only domain verification certificates.

Re:Alternatives?

[dgatwood]

Any alternatives out there that are free and provide server *and* client certificates which are valid for at least 12 months (letsencrypt fanboys, don't bother)...?

No. All the other free certificates are limited to 90 days. The net effect of this decision is that only big companies and people with too much free time can afford TLS.

Re:pre-existing

For small values of "fired". Richard Wang was still "acting CEO" last week and presumably remains in that position today.

Supposedly this is until his employers (QiHoo 360 basically) get their act together and appoint someone new. But being serious for a moment, a $$$ corporation like that will have big hitters it is able to parachute in within hours for an executive crisis, two days at most. If QiHoo actually wanted Wang gone, he'd have vanished off the face of the Earth. So this is a sign that the "show of good faith" stuff was worthless and ultimately WoSign and probably StartCom are destined for an ignoble end.

Yet Symantec remains?

Yet Symantec continues to be trusted? Despite being caught issuing fake Google certs?
https://www.eff.org/deeplinks/2015/09/symantec-issues-rogue-ev-certificate-googlecom

And then there is BlueCoat, the certificate they issued them to let BlueCoat fake practically any certificate... but hey, it was for "security" right? So that BlueCoat could run anti-virus checks on encrypted data for companies, while somehow the company couldn't simply add BlueCoat to the trusted authorities list? And in no way was that cover for TLS interception by men in uniforms?

Essentially nullifying any value in the certificates system in one go!

Fook em, certificates should never expire, should never require renewing, you trust a certificate because over the years you use it it stays the same. Trust is built up over time, attackers cannot go back in time so you know its the same site as it was years ago. Attackers cannot be 100% attack forever, so time will cleanse any attack. Time is security, nothing else.

Certificate authorities are backdoors.

Re:Yet Symantec remains?

[lucm]

And then there is BlueCoat, the certificate they issued them to let BlueCoat fake practically any certificate... but hey, it was for "security" right? So that BlueCoat could run anti-virus checks on encrypted data for companies, while somehow the company couldn't simply add BlueCoat to the trusted authorities list? And in no way was that cover for TLS interception by men in uniforms?

At work they use a Bluecoat proxy. They configured that magnificent product to decrypt outgoing SSL on-the-fly and reencrypt it on the inside with fake SSL certificates. That way the "security" team can spy on encrypted traffic (such as my gmail password).

In case you suspect your employer of doing the same thing, here's something I noticed. They apparently can't spoof issuers on the fly and there's too many of them to prepare in advance, so they use the same fake issuer for every single certificate. Corporate browsers are easy to tweak with stuff like GPO so they can't be relied on to inspect a certificate, but low-level tools like curl or wget can prove useful to show what's going on.

Corporations who do this kind of thing are weakenig SSL as a whole and they are creating a false sense of security. This is really bad.

Re: Yet Symantec remains?

[p91paul]

Certificates expire for a very technical reason: they can be trusted because we assume the encryption on which they are based is unbreakable. However, given enough computational power you can break all certificates; they are unbreakable because we believe there is NOT enough computational power to break them. Since computational power available is increasing, certificates issued a few years ago are useless sequences of bits, even though they were very trustworthy at the time they were issued.

Re:Yet Symantec remains?

[lucm]

You're missing the point. It's not about privacy, it's about opening the door to actual MITM attacks. I just used the gmail password as an example.

The purpose of SSL is to secure the connection between a client and a server. When you start injecting gateways that decrypt/scan/reencrypt the traffic, you break the system. You no longer can rely on actual issuers and certificates; you're basically trusting blindly a single source.

It's like having your ISP hijack DNS queries to show you ads when a domain is not found, it's "great" as long as the ISP itself is not vulnerable to attacks. Otherwise they just become a top tier vector for malware and whatnot.

Also there's the question of priorities. Decrypting SSL traffic doesn't "protect" the network, it just gives snooping power to the security team. And I have yet to see an organization where all the basic aspects of security are handled so well that scanning SSL traffic is a worthy concern. That's like installing a biometric lock on the bathroom door in a gas station that has no alarm system or cctv; maybe efforts are not spent on the real issues.

Shared hosting and subdomains

[tepples]

Let's Encrypt, motherfucker.

ACME CAs such as Let's Encrypt have practical problems in the following situations:

A. The website is hosted on shared hosting, and the shared host offers no way to automatically run Certbot or another ACME client to request and install a certificate. There exist ACME clients that run without superuser privilege, but a provider may offer no way for subscribers to automate uploading a certificate obtained through an ACME client. Until very recently, for example, WebFaction required to manually file a support ticket every time. And for Let's Encrypt, this would be less than two months.

B. The owner of a domain allows users to sign up for subdomains. Let's Encrypt does not offer wildcard certificates and severely limits how many certificates can be issued under a particular domain in one week (source). This has already caused problems, for example, for operators of dynamic DNS services who want to make certificates available to their subscribers.

Stop babbling about client certs.

Why?

Re:Shared hosting and subdomains

[tepples]

In which case that host sucks and customers should stop using them.

Many hosting plans are paid annually rather than monthly. If someone has paid ahead for several months of hosting, a $5 per year Comodo certificate valid until the date that the hosting is up for renewal would be cheaper than forgoing several months of paid-for services.

Some out there claim you need a separate IP address even though you don't [with Server Name Indication].

Only for the past two and a half years has that been true. Because Internet Explorer on Windows XP didn't support Server Name Indication, compatibility with all major supported web browsers required a separate IPv4 address for each certificate. This changed in mid-April 2014 when Windows XP reached end of life. I think a lot of shared web hosts didn't offer SNI because they wanted to reduce the cost of support calls from users of combinations of browser and operating system that are incompatible with SNI.

DreamHost among others has builtin support for Let's Encrypt.

I switched to WebFaction in December 2012 because it offered SNI, unlike the hosting I had at the time. Did DreamHost offer SNI hosting back in 2012, or was it cleartext- or dedicated IP-only back then?

Re: Shared hosting and subdomains

[tepples]

So once your script determines that a particular certificate needs to be renewed, makes a CSR, and obtains a renewed certificate, how do you automate installation? Not all shared hosting providers offer an API to install a renewed certificate without human intervention.

Re:Alternatives?

The net effect of this decision is that only big companies and people with too much free time can afford TLS.

Ummm, you can get a certificate issued by Comodo for $5 USD per year:

https://www.ssls.com/ssl-certi...

It's a real certificate, trusted by all browsers,

It has both the Server Authentication (1.3.6.1.5.5.7.3.1) and Client Authentication (1.3.6.1.5.5.7.3.2) OIDs.

If securing your data on the internet isn't worth $5 to you, then I can't help you.

But please stop whining.

CORRECTION

[tepples]

And for Let's Encrypt, this would be less than two months.

Allow me to correct my prior comment: About two and a half months is practical. So a shared hosting subscriber would have to remember to renew the certificate and request installation from the provider about five times per year.

Re:Got It

[TroII]

Back Date a couple of certificates ? Don't charge? Compete with another free certificate authority?

You are seriously understating the pattern of behavior on WoSign's part that led to this decision. (Comodo is no better IMO.)

Is there someone else?

[Espectr0]

We have had Starcom certificates because they seem to be the only ones giving out free SSL certificates for websites.

Is there someone else doing this for free? No, we really can't buy them in our country and current situation.

Re:Is there someone else?

maybe letsencrypt can help you.
https://letsencrypt.org/

Re:Is there someone else?

[lucm]

I buy Comodo certs from a reseller for $6/year (no volume required). They are a bit clunky to setup at first because there's a few certs in the chain that are easy to miss if you're not careful, but they do work on all the browsers and devices I've tested.

Re:Is there someone else?

[Roman+Mamedov]

Well there's also WoSign... OH WAIT.

Nope, both of the sensible free options are killed now, everyone wanting free certs is being funneled into the Let's Encrypt bullshit.

Re:Is there someone else?

[The-Ixian]

IMO, $6/year is about how much a digital cert should cost. You are covering the compute time and bandwidth costs and then some.... I don't understand why DV certs are so expensive....

Re:Alternatives?

[lucm]

Any alternatives out there that are free and provide server *and* client certificates which are valid for at least 12 months (letsencrypt fanboys, don't bother)...?

I can get you as many certificates as you want that work as long as you want. Do you need a specific issuer? What about "Certificates For Cheapskates Inc.".

Re:Alternatives?

[TheRaven64]

It's not trusted by my browser. I removed Comodo from my list of trusted CAs after their last breach. I'm astonished that they're still in business. Someone seriously suggesting trusting Comodo over StartCom is really showing how broken the CA system is.

Outrageous

[jez9999]

This is terrible. Now there is only Let's Encrypt to get free SSL certs, which basically requires you to install their software on your machine to renew your certs because their expiry time is so ludicrously short.

Fuck you Google (and fuck you Mozilla, Google's lapdogs). I personally can use Pale Moon, but there's nothing I can do about the hordes using Chrome. :-(

Re:Outrageous

[AmiMoJo]

What's the point of a free SSL cert if it can't be trusted? The whole point of having it is to establish trust that you are who you say you are.

Re:Outrageous

[thebes]

Correction: the free certs only vouch that you admin the domain name, nothing more. That is not the same as trusting an individual or organization

Re:Outrageous

Trust and encryption should be two different things, however. I find it funny that people berate those using self-signed certs citing trust issues, but will happily browse non-https sites as if that's more trustworthy. I may be in the minority, but I'd rather see some form of self-signed certs be 'allowed' so that we can at least move to a more secure browsing experience. Yes, it's still up to the user to decide if the site is actually trustworthy but that's now really much different than it is now. However, we will never see this because the big corps make too much money charging $99+ for some silly little thing that says your site is 'secure' despite never needing to supply/prove your identity to the issuer.

Re:Outrageous

[chefmonkey]

Fuck you Google (and fuck you Mozilla, Google's lapdogs).

You need to update your conspiracy theories. The paranoid series of twisted, ignorant logic that was once used to make this statement was utterly undermined when Mozilla stopped taking search referral money from Google.

Re:Outrageous

[jez9999]

Because instead of a temporary halt on StartCom certs, Google are taking the draconian action of saying they will NEVER TRUST THEM AGAIN. That is ridiculous. What if StartCom start up under a different name, can they be trusted then?

They made a small mistake. It is so over the top to stop trusting them "for evermore" because of this that it makes me thing they're trying to corner the free SSL cert marker with Let's Encrypt.

Re:Outrageous

[jez9999]

Well I'll have to now, won't I?

I hope you're fucking happy that I and many others have lost our perfectly good free SSL certs that worked fine for years, because literally 2 dodgy certs were issued by StarrCom. Now we'll be out of pocket for no good goddamn reason.

Re:Outrageous

[jez9999]

Yeah but that's useful. I don't always need to "trust an individual or organization", sometimes I just want to be sure I'm really connecting to the proper server(s) for that domain.

Re:Outrageous

[jez9999]

Get back to me on that when Mozilla shut up shop, and officially tell their users to just install Chrome. Probably when Firefox's market share is at 1 or 2 percent. I predict that's exactly what they'll do. They've been on that trajectory for years now.

Re:Outrageous

[hlee]

It wasn't a "small" mistake.

The investigation concluded that WoSign knowingly and intentionally misissued certificates in order to circumvent browser restrictions and CA requirements. Further, it determined that StartCom, another CA, had been purchased by WoSign, and had replaced infrastructure, staff, policies, and issuance systems with WoSign's. When presented with this evidence, WoSign and StartCom management actively attempted to mislead the browser community about the acquisition and the relationship of these two companies. For both CAs, we have concluded there is a pattern of issues and incidents that indicate an approach to security that is not in concordance with the responsibilities of a publicly trusted CA.

https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html

Re:Outrageous

[jez9999]

It still doesn't mean they have to PERMANENTLY stop trusting them. They could have given a path back to being trusted rather than robbing us of free year-long SSL certs.

Re:Outrageous

[The-Ixian]

I think that if WoSign/StartCom made any meaningful moves toward rectifying the situation when it was first brought up, there wouldn't be an issue right now.

Everyone makes mistakes. All anyone is expecting is for the mistake to be acknowledged and corrected.

My understanding is that WoSign/StartCom basically ignored all efforts to get to an understanding and the yanking of trust is literally a last resort.

Re:Outrageous

[heypete]

It is so over the top to stop trusting them "for evermore" because of this that it makes me thing they're trying to corner the free SSL cert marker with Let's Encrypt.

To what end? Let's Encrypt has gotten some funding from Mozilla and others, but otherwise is a separate entity run by the ISRG.

Since they don't sell any certificates (they're all free of cost) and running the service ends up costing lots of money (about $3m/year, they say), what motive would they have for "corner[ing] the free SSL cert marke[t]"?

Nothing's preventing anyone else from starting a free CA.

Re: Alternatives?

[jez9999]

Why the hell should we install their stupid software on our servers? It's a totally unnecessary extra security risk. A yearly certificate is PERFECTLY alright and is no kind of security risk. I don't know what Let's Encrypt's game is, but their intractable refusal to issue yearly certs is unacceptable and extremely stupid and I would rather pay for an SSL cert than put up with their bullshit attitude.

Re:pre-existing

[AmiMoJo]

I see both WoSign and StartCom are still issuing certs. Not just SSL, but code signing for things like Windows drivers.

Seems like they are both basically out of business now.

Will GoogleBots ignore the same sites Chrome does?

[xanthos]

Yeah right. Google feels fit to declare what sites you may and may not browse, but be assured that they will still crawl those sites and correlate any links, email addresses, phone numbers etc they find there.

Google, the ultimate nanny state.

Re:Alternatives?

It's not trusted by my browser. I removed Comodo from my list of trusted CAs after their last breach. I'm astonished that they're still in business. Someone seriously suggesting trusting Comodo over StartCom is really showing how broken the CA system is.

Well now, it must SUCK TO BE YOU

Forever day bugs cause insecure clients

[tepples]

Windows XP reaching EOL only means that Microsoft stopped supporting it

We have chosen not to support an operating system that its publisher no longer supports. Because the operating system is proprietary software and will never see another security update, we can assume that a device running that operating system is likely to be infected with a keylogger or other malware that makes the browsing session unusably insecure, installed through exploiting a defect in the operating system published around or after the time that the operating system's publisher ended support. See Forever day bugs.

Reasonable (free or non-free) Alternatives?

[davros74]

I currently use StartCom certificates for my personal web server and email server (no, not related to Hillary). But I also use their client certificates (S/MIME).

I also use a backup MX service for my mail server, but recently that has changed hands and the price has started to go up.

So it would be nice to find a one stop shop to fill these needs:
    1. Backup MX service (possibly with spam filtering service)
    2. SSL certificate for a single domain (no wildcards, single server name is fine)
    3. S/MIME client certificates

Free is nice, but I am willing to pay a small annual fee for the services (currently pay for Backup MX). I currently create my own key and CSR, I do not like sites that generate the keys for you or require any software. I should be able to upload the CSR, and get a certificate back (after validating I own the domain, of course).

Any recommendations? If I cannot find anything reasonable, I will have to go back to self-signed certificates. I could live without the S/MIME, but having that is nice being its the only easy way to encrypt email on iPhone's Mail app.

Re:Reasonable (free or non-free) Alternatives?

[heypete]

I don't know of any one-stop-shop (certificate issuance and backup MX service are pretty orthogonal to each other), but there's plenty of CAs out there that will issue you certificates.

This Comodo reseller sells PositiveSSL certs for ~$5/year with a validity time up to 3 years. That's about as cheap as you can get. They also offer (for the next few weeks, at least) GeoTrust, Symantec, and Thawte certs, but the costs for those are higher and they'll stop selling them in December. Comodo offers free S/MIME certs that validate only your email address, as well as paid ones that validate your email and name (if it matters). The paid ones start at $12/year.

Of course, Let's Encrypt is a good option: the certs are free and you can run any of a multitude of ACME clients (or write your own) to validate your domain, generate the key (which is made by and stays on your system), request the certificate, and install the certificate. A simple cronjob handles renewals without any interaction from you. That makes life really easy. They don't do S/MIME certs, though.

Re:Alternatives?

[jez9999]

It's shit. It doesn't let you choose what subdomain is on the cert, they just add "www". StartCom let you add a custom subdomain so you could secure devel.mydomain.com or something for a development site.

Argh, this whole situation sucks so much.

FUCK GOOGLE.

Re:Got It

[jez9999]

You wanna talk about a shitty pattern of behaviour, look no further than Mozilla.

They have had nothing but complete contempt for their long-term users by turning their browser into an inferior copy of Chrome.

FUCK MOZILLA. Total bastards, the lot of them.

Re:Alternatives?

[dgatwood]

That's a showstopper for me, and probably others. With Comodo, I would have to buy a wildcard for hundreds of dollars instead of a few free certs from StartSSL. TLS just went from self-evident to unaffordable and out of reach.

Re:Alternatives?

[jez9999]

That still means you have to buy 2 certificates just so you can get one for your main domain and your subdomain of choice though. It sucks hugely, compared to StartCom giving a free cert with a subdomain of your choice.

Re: Alternatives?

[heypete]

You don't have to run their software (that is, the reference implementation) on your servers. There's plenty of other ACME clients, including short Bash scripts that don't require root and are relatively easy to audit. You could write your own, if you want.

The short expiration times for Let's Encrypt certs exist for two reasons:
1. Revoking certs is a pain. Yes, OCSP is a thing, but malicious actors that can control the network can block OCSP and force users to keep trusting revoked certificates up to their expiration time. Most browsers treat OCSP failures as a soft-fail. This is partially alleviated with OCSP stapling, but not many servers support it. By having short certificate lifetimes, the window of validity for a compromised certificate is smaller.

2. It encourages automation. Rather than certificate issuance (and renewal) being an unusual thing that one needs to do every 1-3 years, during which time one likely has forgotten the procedure and has to go through many manual steps, issuing and renewing certs becomes routine and something easily scriptable and handled by automation. This makes it easier for more sites to deploy HTTPS, and for hosts to enable it with easy, automated tools.

Of course, there's plenty of other CAs out there offering relatively inexpensive certificates with longer lifetimes if you wish. As you say, that's something you prefer. That's fine too: I use LE certs for most of my sites, but some long-lived ones from other CAs for others. It's nice having options.

Re: Alternatives?

[jez9999]

Yes I've heard those arguments, and no doubt OCSP will work for some people. However in my view they are taking a very preachy approach by flat-out refusing to issue 1-year certs, rather than just recommending the shorter-length ones. It's the kind of "our way or the highway" that the UX people at Google and Mozilla take with respect to their browser interfaces, and I consider it the height of arrogance. It turns me off the whole damn organization.

Let's Encrypt could easily have offered a 1 year option. It's no real skin off their nose. They could even warn that "these may be 0.0001% more of a problem because when you (virtually never) need to revoke them it is harder). But they shove their ideology of short cert lifespans down your throat despite MANY requests from users to do otherwise.

So yeah, screw them. I would indeed prefer to pay for a year's cert. It is a great shame that LE had to be so intransigent.

Re: Alternatives?

[jez9999]

Gah, I didn't mean OCSP above, I meant ACME.

Re: Alternatives?

[heypete]

The security aspect (in regards to revocation) of shorter keys is nice, but encouraging automation to make widespread HTTPS use easy is the whole point of Let's Encrypt. It shouldn't be a surprise that they set cert lifetimes to encourage automation.

Without automation, deploying secure sites is a pain: administrators have to go through tedious, error-prone manual work that the typical mom & pop business or individual website won't bother with. This maintains the status quo, with not many sites being secure.

With automation, the user who otherwise wouldn't deploy HTTPS simply clicks a button on their web host management interface and Presto!, their site has a cert. (Alternatively, HTTPS could be enabled by default for them, as it is with WordPress.com-hosted sites.) For more technical administrators, a simple command-line tool and a cronjob take care of things in seconds. Easy, and it promotes a more secure web.

There's nothing magical about 90 day certs, and the timing was chosen to be short enough to encourage automation while being long enough to allow for manual renewal if needed. Indeed, they even say, "Once automated renewal tools are widely deployed and working well, we may consider even shorter lifetimes." That's fine with me: it's no skin off my back if they start making certs only valid for a week or two, as a daily cronjob manages everything.

Of course, your mileage may vary and you have your preferences. That's totally fine -- I too use non-LE certs for some internal services where automation isn't really viable -- and nobody's forcing you to use their service. It's a free internet, after all, and there's other CAs to choose from.

Re: Alternatives?

[heypete]

By "shorter keys" I mean "shorter certificate validity periods". Sorry for the confusion.

Re: Alternatives?

[jez9999]

That's an argument for offering shorter cert lifetimes, offering automation, and defaulting to it. It is not an argument against offering year-long certs for those of us who prefer them. And frankly I consider integrating their software into my existing website to be a royal pain, so much so that I will be paying Comodo for a yearly cert instead just to avoid it. I'm fine with manually replacing my certs every year. I basically have to replace a few files on my system and reboot a few services.

Comment removed

[account_deleted]

Comment removed based on user account deletion