Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Guillotine Falls on Certificate Authorities WoSign, StartCom (zdnet.com)

Posted by msmash on from the tightening-bolts dept.

Google has warned that all certificates issued by Chinese company WoSign and subsidiary StartCom will be distrusted with the release of Chrome 61. From a report: According to a Google Groups post published by Chrome security engineer Devon O'Brien, due to "several incidents" involving the certificate authority which has "not [been] in keeping with the high standards expected of CAs," Google Chrome has already begun phasing out WoSign and StartCom by only trusting certificates issued prior to October 21, 2016. The tech giant is soon to go further and will completely distrust any certificate issued by the companies within a matter of months. The Chrome development team have restricted trust through a whitelist of hostnames which are based on the Alexa Top one million sites, and this list has been pruned down over the course of Chrome releases. Once version 61 is ready for public release, this will fully distrust any existing WoSign and StartCom root certificates and all certificates they have issued.

57 comments

  1. Goodbye by Anonymous Coward · · Score: 0

    Don't let the door hit you on the way out.

    (Why anybody should trust any certificate issued in China is a mystery to me.)

    1. Re:Goodbye by Anonymous Coward · · Score: 1

      Let's be honest: You shouldn't trust a certificate issues by anyone other than yourself. You don't think the U.S. government has ever colluded with a CA to set up a MITM attack before?

    2. Re: Goodbye by Anonymous Coward · · Score: 0

      I can't speak for the states, but I assume so. I'm absolutely sure the U.K. government has. We're quite a corrupt bunch.

    3. Re:Goodbye by Anonymous Coward · · Score: 2, Insightful

      Your position is actually a very reasonable. You don't know any of the certificate issuers. It is impossible for you to fully trust any of them. At most, you have some "policy" that supposedly tells you what some faceless corporation is doing.

      Fortunately, people implemented solutions to this problem about a quarter century ago. "Moderately trust" your CAs. And if an identity is signed by (say) three moderately-trusted CAs then you consider it fairly trustworthy. You could even work in scoring rules for whether or not the CAs are jurisdictionally diverse enough. (e.g. If a Chinese signer and a US government signer and a French signer all agree, then either it's correct, or you are up against a conspiracy so massive that you'd never beat it anyway.)

      What's the probability that someone is up to something naughty? Some fraction. Now raise that fraction to some more-than-1 power, say the third power. That's how trickable you'd be, if we used modern PK tech, like what PGP has.

    4. Re:Goodbye by sexconker · · Score: 2

      Why anyone should trust any cert not issued by a cert authority they personally control or vet and trust is beyond me.
      The whole CA game is about a half step more legitimate than the TSA.

    5. Re:Goodbye by known_coward_69 · · Score: 1

      we're nerd laughing with you

    6. Re: Goodbye by Anonymous Coward · · Score: 0

      Is anybody wondering why Google is suddenly in charge? It's a big CA-club and StartCom is apparently not in it.

  2. Google should just become a free CA... by Anonymous Coward · · Score: 0

    ...and get sued by EU for it :-/

  3. Now we know what the Google logo is really about by Anonymous Coward · · Score: 0

    All those letters with holes in them. Each letter is fully capable of decapitation. The 'l' is a spike onto which the unfortunate fall.

  4. Good by guruevi · · Score: 1

    I'm glad there are people willing to stand up to corporate misbehavior. Now if only we could get some better way of doing revocation checks.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
    1. Re:Good by rahvin112 · · Score: 1

      It's called Let's Encrypt. Use it, love it. 90 Day certs, full automatic signing and updating. Built-in support in most distributions (even pfsense has a package now).

      If you are paying for anything other than an EV certificate you're an idiot.

    2. Re:Good by duke_cheetah2003 · · Score: 1

      Just a thumbs-up for Let's Encrypt. Fantastic service and super easy to set up and have it fully automated, so the short-lived certs are not an issue. It automatically takes care of itself if configured properly.

    3. Re:Good by dgatwood · · Score: 2

      I use Let's Encrypt, too. HATE it.

      • It has to automatically update your web server configuration files because the maximum certificate validity period is too d**n short to manually update your server. (That was a show-stopper for me. I don't trust anybody modifying my insanely complex Apache config files, after several tools barfed horribly over the years.)
      • As a result of that flawed design decision, they also made the design decision to cut corners and run it as root by default. That was also a show-stopper for me, and should be for anyone who is serious about security.
      • The default behavior is fundamentally incompatible with key pinning (a recommended security practice) because it generates a new key every time it generates a new cert.

      The security horrors get deeper and deeper the further you dig, hence the reason I steered clear of it for years. But when the last free TLS cert provider other than LetsEncrypt got the axe (StartSSL), I finally concluded that I'd just have to close my eyes and think of England.

      I ended up creating a cron job that runs a pile of custom code wrapped around their manual updater (which bizarrely doesn't tell you the name of the cert file it just created—ick). It then updates a small crypto config file that gets imported from all the various parts of my main Apache config files. Nine months later, I'm still fixing integration issues, mostly stemming from permissions problems.

      By contrast, I used StartSSL (one of the registrars that is getting the axe here) for half a decade with no real problems. It was easy. Once a year, I requested a new cert. Five minutes later, I was done. It worked much better than LetsEncrypt, from my perspective.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    4. Re:Good by guruevi · · Score: 1

      Sorry, but you are an idiot. There are plenty of alternative clients for the ACME protocol, plenty of them run without root access. I have never needed to run as root and the LE client also doesn't modify my web server configs. All the client does is update the certificate every so often and then tests the configuration before deploying it. It took me all of ~10 lines to get it to work the way I want it.

      Your Apache scripts shouldn't be so complex that they become un-editable, do you even know what they do?

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    5. Re:Good by fuzzyfuzzyfungus · · Score: 1

      The lesson of biology is that if you make your scripts complex enough; they'll start maintaining themselves. Upgrading, even. Exact behavior of upgrades not guaranteed.

    6. Re:Good by cdwiegand · · Score: 2

      You're kidding, right? The certificate location doesn't change. Once you setup the certificate, you just run letsencrypt-auto renew once a week and when it's done do an apachectl reload. I run over a hundred websites across 10 servers and haven't had any issues integrating LE into my flow. I will admit I use nginx and not apache, but given that the path to the certificate, chain and key don't change and are all symlinks, I fail to see how it's "complicated".

      --
      . Define sqrt(x) as something really evil like (x / rand()), and bury it deep. Watch your coworkers go nuts.
    7. Re:Good by Anonymous Coward · · Score: 0

      Do you also trim your nosehairs with a weedwacker just because that's the harder way to do it?

    8. Re:Good by Anonymous Coward · · Score: 0

      I used to love StartSSL as well, when they were their own company.
      Of course I disagree that it worked better than LetsEncrypt, since I still had to do more than zero work by logging into their website and clicking some buttons once a year.
      Not much more than zero effort granted, but still more than zero effort.

      Sadly I pretty much figured the moment they were purchased by the Chinese Govt controlled WoSign, that this would be the end result.

      Sure enough within the year, WoSign was issuing certificates for Google, Facebook, Github, Sourceforge, and a bunch of other American companies and launching active MiTM attacks against them.

      That was the beginning of the end for both CAs.
      In fact once Google caught them intercepting Gmail accounts, I was more surprised they weren't untrusted right then and there on the spot!

      As for the things you say about LetsEncrypt, I'll refrain from commenting.
      If you don't know the name of a file that never changes its name and is sitting right there after you yourself created it, there's little anyone can say to help you not hate everything in life.

    9. Re:Good by darkain · · Score: 2

      The default client has command line options to simply output the cert to a file and NOT touch Apache or any other HTTPD at all. In fact, in my setup, I have a 100% dedicated VM for generating certs. It does nothing else. That's it. From there, the cert files are moved via SSH to their respective web servers. But in no way shape or form does the LetsEncrypt VM have any sort of access to any infrastructure to modify it at all.

    10. Re:Good by Barefoot+Monkey · · Score: 1

      I was put off Let's Encrypt too, also purely because the letsencrypt program makes a severe mess of the system. However, there are many other ACME clients, and even letsencrypt.org itself no longer recommends letsencrypt (it recommends certbot at the moment, and also has around 73 other suggested clients if certbot isn't what you want).

    11. Re:Good by Anonymous Coward · · Score: 0

      you just run letsencrypt-auto renew

      Dad, what did I tell you about running random programs you download from the internet?

    12. Re:Good by DeadSea · · Score: 1

      It gets much more complicated once there is a load balancer involved. I end up redirecting the acme-challenge directory to a subdomain that gets hosted without a load balancer, generating the certificate there, and then having scripts push it to the load balancer.

      The other problem I have is that certbot is not idempotent. Certbot doesn't check if the deploy scripts actually succeed or not, it just assumes they did. If they didn't, they will never get called again. Just running certbot auto-renew is not enough. You have to compare locally available cert to the live installed cert to know if a deploy is needed.

      With all those extra check, it works, but it is several hundred lines of scripts.

    13. Re:Good by dgatwood · · Score: 1

      Actually, certbot is the nightmare I was referring to.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    14. Re:Good by Barefoot+Monkey · · Score: 1

      Thanks, good to know. I haven't actually tried that one myself. I was planning to give Let's Encrypt another shot with some of the other clients, and happened to be looking through the list just before this story hit.

    15. Re: Good by Brockmire · · Score: 1

      Wrong usage. You're an idiot.

    16. Re:Good by x_t0ken_407 · · Score: 1

      Very interesting way of handling this. You just gave me an idea, thanks :)

  5. Who is like unto Google? by Anonymous Coward · · Score: 0

    "Google guillotines WoSign, StartCom"?
    Why not "Google sends WoSign, StartCom to FEMA camps"?

    1. Re:Who is like unto Google? by nnet · · Score: 1

      like because like fema camps like have like nothing to do with like guillotines like.

    2. Re:Who is like unto Google? by __aaclcg7560 · · Score: 1

      like because like fema camps like have like nothing to do with like guillotines like.

      The government routinely orders guillotines (paper cutters). If you print out your certificate, you can cut it up with an office guillotine.

    3. Re: Who is like unto Google? by Anonymous Coward · · Score: 0

      Google gasses WoSignstein and StartComstein.

  6. Doesn't address the biggest problems by Anonymous Coward · · Score: 0

    It's the browsers that got us in the mess we're in. Browsers do the wrong thing with TLS in almost every situation.
    We have really good crypto algorithms and protocols, and the implementations we have are confusing, misleading, and negate a lot of that functionality.

    1. Re:Doesn't address the biggest problems by duke_cheetah2003 · · Score: 1

      It's the browsers that got us in the mess we're in. Browsers do the wrong thing with TLS in almost every situation.
      We have really good crypto algorithms and protocols, and the implementations we have are confusing, misleading, and negate a lot of that functionality.

      Pretty sure what you're describing has nothing to do with browsers. TLS is governed by the server, not the browser. Server dictates what crypto methods and hashing methods are permitted to be used. Browser has to comply with the server or get lost.

    2. Re:Doesn't address the biggest problems by Anonymous Coward · · Score: 0

      Yeah, but server configuration is almost always determined by testing against desired supported browsers.

      So the browser behavior does directly control this.

  7. Why so late? by Anonymous Coward · · Score: 0

    Seriously, they should have kicked this bad CA the moment it became public that they weren't playing by the rules.

    What about those poor server administrators that now need new certificates? Well, every smart server administrator already has a spare set of certificates signed by a different CA ready to deploy at a moment's notice, so that's not an issue either. What about the not so smart administrators? Well, why should Google cater for morons?

  8. Google: "Fu kyou, China" by Anonymous Coward · · Score: 0

    I for one plan to continue to use WoSign certificates since they are unlikely to be corrupted by the NSA.

  9. *.google.com by Anonymous Coward · · Score: 0

    Signed by Google Internet Authority G2.

    So, self-signed certificates are bad - unless you are Google.

    (or Microsoft: www.bing.com - signed by Microsoft IT SSL SHA2)

    I see.

    Us lowly commoners have to pay someone to sign our certs. We are trusting by default exactly who should not be trusted.

    Caveat: yes, I have stretched the definition of "self-signed" for the purposes of this bitch.

    1. Re:*.google.com by Anonymous Coward · · Score: 0

      That's an intermediate certificate issued by GeoTrust Global CA.

      Not the same as a self-signed certificate.

    2. Re:*.google.com by duke_cheetah2003 · · Score: 1

      Us lowly commoners have to pay someone to sign our certs.

      I don't pay for my cert. Let's Encrypt is free.

  10. What's the motive for wosign? by interkin3tic · · Score: 2

    I don't know much about CAs. TFA says wosign issued bad certificates for github, and there were other issues. Is this incompetence or malice? Were they just overeager to sell certificates, are they catering to criminals, or is this likely to be some type of state-sponsored conspiracy to spy on secure websites?

    1. Re:What's the motive for wosign? by Anonymous Coward · · Score: 0

      Incompetence or malice? I'm not sure it matters at all.

      The fact is that they were doing things that are either Really Shady or a Really Bad Idea. In either case, they can't be trusted to issue certificates, period. They also showed little in the way of a response to the initial reports of malfeasance, so they gotta go.

      It's the same with Symantec: they were trusted to competently issue certificates to the world, and they failed to do so. So it's time they lost their status as a CA.

      And lest you think that there is "a big difference between Symantec and StartCom," just remember that the browser's root cert store doesn't see the difference.

      It's a shame... I used to use StartCom certificates for everything. They will even do email cert issuance including in-person validation. Fortunately, I had already migrated some systems to Let's Encrypt, so I just hastened that roll-out and haven't looked back.

    2. Re:What's the motive for wosign? by freeze128 · · Score: 2

      Wosign was guilty of issuing certs for google.com. "It was only used in a test environment" was their excuse. Maybe it was, but it could have easily been used in public instead. It's shady practice, and for that, they will pay with their lives!

    3. Re:What's the motive for wosign? by fuzzyfuzzyfungus · · Score: 1

      Unfortunately, one of the disadvantages of deviating from strictly correct behavior as a CA is that it makes it harder for people trying to figure out who the threat is to answer that question; and 'all of the above' benefit from those bad practices.

      If your approach to 'customer service' involves a willingness to forge certs for them; it may start with a few extra sales to admins trying to dodge deadlines; but criminals will have an obvious interest in someone willing to issue dodgy certs for a few extra sales. And if you already have a noise floor of private sector shady actors; that's attractive to governments looking to do something quietly and deniably.

      As a matter of intent; I wouldn't be at all surprised if it started out innocently enough, doing a little favor for someone who really, really needed that backdated cert to keep his creaky infrastructure up; but this isn't the sort of business where innocent mistakes get to stay innocent for long; so ultimately it doesn't really matter that much. There job was to be trustworthy; they aren't. Game over.

    4. Re:What's the motive for wosign? by _merlin · · Score: 1

      That was Symantec issuing google.com certificates for their test environment, not WoSign. The thing everyone jumped on WoSign for was doing a customer a favour. Some significant Australian customer wasn't ready for SHA1 certificates being phased out and asked if WoSign could help them out. WoSign issued back-dated SHA1 certificates for the customer.

      IMO, Symantec was worse yet they haven't been punished anywhere near as hard, and the timing seemed rather "convenient" in that it coincided with the launch of Let's Encrypt. Free StartCom certificates won't be trusted any more. Who else are you going to get free certificates from now, buddy?

    5. Re:What's the motive for wosign? by CRC'99 · · Score: 1

      The thing everyone jumped on WoSign for was doing a customer a favour. Some significant Australian customer wasn't ready for SHA1 certificates being phased out and asked if WoSign could help them out. WoSign issued back-dated SHA1 certificates for the customer.

      Yep - and I'm pretty sure we know who that customer was. There are still major institutions still using SHA1 certs internally - and if they get moved to newer ones by the end of the year then I'd be shocked. The reality is, this stinks of a scapegoat - the industry in question would face *MASSIVE* disruption for the everyday Australian because of the relatively quick move to higher level certs. A lot of these are still contained within embedded devices that cannot upgrade so easily.

      Instead, let's execute the CA for political reasons. Don't pretend its anything else.

      --
      Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
    6. Re:What's the motive for wosign? by Anonymous Coward · · Score: 0

      Is this incompetence or malice?

      It doesn't matter! A professional CA CAN NOT let that happen.

  11. It's tied to the version? by Hognoxious · · Score: 1

    Anyone else find it odd that the whitelist depends on the version? Like they hardcoded it?

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    1. Re:It's tied to the version? by radarskiy · · Score: 1

      How would you securely download the a list of CAs to trust without a list of CAs to trust?

    2. Re:It's tied to the version? by Anonymous Coward · · Score: 0

      As long as we are talking about Chrome: Use a Google-issued certificate, rather than a CA-issued certificate.

      Besides, it's not like they don't already have a way to automatically download and install Chrome updates. No matter how they do that, using the same method to download the trusted CA list would not make anything less secure than using it to download a new version of the browser. At most it would make things more secure, because depending on a new version of the browser may mean that the update gets delayed due to some bug.

  12. Due to several security incidents by Anonymous Coward · · Score: 0

    I have also stopped using google products.

  13. Google Guillotine? by drinkypoo · · Score: 4, Funny

    Oh great, another Google service that will probably be cancelled within a year

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  14. List of Issues by Lightn · · Score: 1

    It wasn't just a few bad certs, there was a whole set of issues. Here is Mozilla's list: https://wiki.mozilla.org/CA:Wo...

    Check out issue N, it is particularly bad.

  15. There was an easy solution that never.... by Anonymous Coward · · Score: 0

    was implemented:

    Reassigning all .net/.com/.org tlds under their respective countries tld and then having apps update themselves to only accept CAs for that country code/tld to sign certificates 'under' them.

    This would leave china and any other questionable security tld CAs to operate as their country sees fit within their range, while ensuring the security of other sovereign tlds similiarly remained secure to the boundaries of their domestic laws.

    But nooo, we need to keep the tiny bit of arbitrarily decided legacy cruft, which has become unwieldy and not fix the inherent flaws in the systems even as multiple security exploits have replaced every other facet of the security framework surrounding them.

    Besides, it's not like every country isn't getting a woody at resegretating the internet into a bunch of domestic intranets instead.

  16. WoSign's issues not just political... by Sits · · Score: 2

    The thing everyone jumped on WoSign for was doing a customer a favour. Some significant Australian customer wasn't ready for SHA1 certificates being phased out and asked if WoSign could help them out. WoSign issued back-dated SHA1 certificates for the customer.

    Yep - and I'm pretty sure we know who that customer was. There are still major institutions still using SHA1 certs internally - and if they get moved to newer ones by the end of the year then I'd be shocked. The reality is, this stinks of a scapegoat - the industry in question would face *MASSIVE* disruption for the everyday Australian because of the relatively quick move to higher level certs. A lot of these are still contained within embedded devices that cannot upgrade so easily.

    Instead, let's execute the CA for political reasons. Don't pretend its anything else.

    Looking through the list on Mozilla's list of WoSign Issues it looks like WoSign not just issued

    • long lived SHA1 certs
    • identical certs other than the notbefore date
    • certs with identical serials
    • certs that violate the "Baseline Requirements"
    • certs using unapproved cryptographic settings

    but their setup also violated a number of other best practices and security measures too (such as unpatched servers). However I'll note that on the political front folks were unhappy that the Startcom acquisition wasn't made public earlier. Outside that though there are a lot of different technical complaints.

    CA's have been dropped in the past for non-political problems (see DigiNotar) so I don't think it's fair to attribute WoSign's woes to purely political motivations as you alleged.

    1. Re:WoSign's issues not just political... by CRC'99 · · Score: 1

      But did you notice that most listings there are "its not against the rules - but we don't like it anyway".

      Yes, there have been some screwups, bugs and other problems that they seem to have fixed - but show me one CA that hasn't had a number of issues in their history...

      --
      Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
  17. This really sucks for StartSSL customers by DeadSea · · Score: 1

    This really sucks for customers of StartCom (StartSSL):

    • Your website suddenly stops working with no warning.
    • There is no equivalent alternative to StartSSL

    Basically Google (and to a lesser extent Firefox) have handled this really badly. I found out about this issue when I got a new certificate and it wouldn't work: StartSSL certificate gives SEC_ERROR_REVOKED_CERTIFICATE in Firefox and ERR_CERT_AUTHORITY_INVALID in Chrome

    • The browser error messages are cryptic and inconsistent. None of them say what the problem actually is. None of them offer links to the blog posts or bugs announcing the revocation. The only way to figure out the issue is through searching.
    • Google is killing existing certificates without making any attempt to contact webmasters. Google should be putting alerts in Google Search Console for every site that will be brought down by this change. At least Firefox limited the scope such that all existing certificates were grandfathered in.

    StartSSL was the only certificate authority at its price point. You didn't have to pay by the certificate. You didn't have to pay for the automated process by which you validated ownership of domains. You only paid for validations of who you are and who your company is. Once you were validated, you could issue as many certificates as you wanted for any domains you own. For a flat fee of $200 per year, I could get all the certificates I needed.

    The only alternative that I have been able to find is LetsEncrypt. While it is completely free it has some major disadvantages:

    • LetsEncrypt doesn't offer wildcard certificates. I have a domain with about 60 subdomains. The lack of wildcard really hurts for me here.
    • LetsEncrypt only offers the most basic level 1 certificates. They only validate that you have control over your domain. They don't offer level 2 that validates who you are. They don't offer level 3 that validates who your company is. They don't offer the level 4 extended company validations that give the green bar in browsers.
    1. Re:This really sucks for StartSSL customers by amorsen · · Score: 1

      You got taken by scammers. Sucks to be you. However, you can't expect the rest of the world to let the scammers continue, despite the inconvenience it is for you.

      --
      Finally! A year of moderation! Ready for 2019?
    2. Re: This really sucks for StartSSL customers by bn-7bc · · Score: 1

      Well LetsEncrypt are rolling out wildcard certificates soon iirc