Google Guillotine Falls on Certificate Authorities WoSign, StartCom (zdnet.com)

← Back to Stories (view on slashdot.org)

Google Guillotine Falls on Certificate Authorities WoSign, StartCom (zdnet.com)

Posted by msmash on Monday July 10, 2017 @09:20AM from the tightening-bolts dept.

Google has warned that all certificates issued by Chinese company WoSign and subsidiary StartCom will be distrusted with the release of Chrome 61. From a report: According to a Google Groups post published by Chrome security engineer Devon O'Brien, due to "several incidents" involving the certificate authority which has "not [been] in keeping with the high standards expected of CAs," Google Chrome has already begun phasing out WoSign and StartCom by only trusting certificates issued prior to October 21, 2016. The tech giant is soon to go further and will completely distrust any certificate issued by the companies within a matter of months. The Chrome development team have restricted trust through a whitelist of hostnames which are based on the Alexa Top one million sites, and this list has been pruned down over the course of Chrome releases. Once version 61 is ready for public release, this will fully distrust any existing WoSign and StartCom root certificates and all certificates they have issued.

36 of 57 comments (clear)

Min score:

Reason:

Sort:

Good by guruevi · 2017-07-10 09:32 · Score: 1

I'm glad there are people willing to stand up to corporate misbehavior. Now if only we could get some better way of doing revocation checks.

--
Custom electronics and digital signage for your business: www.evcircuits.com
1. Re:Good by rahvin112 · 2017-07-10 10:17 · Score: 1
  
  It's called Let's Encrypt. Use it, love it. 90 Day certs, full automatic signing and updating. Built-in support in most distributions (even pfsense has a package now).
  If you are paying for anything other than an EV certificate you're an idiot.
2. Re:Good by duke_cheetah2003 · 2017-07-10 10:37 · Score: 1
  
  Just a thumbs-up for Let's Encrypt. Fantastic service and super easy to set up and have it fully automated, so the short-lived certs are not an issue. It automatically takes care of itself if configured properly.
3. Re:Good by dgatwood · 2017-07-10 10:37 · Score: 2
  I use Let's Encrypt, too. HATE it.
  
  It has to automatically update your web server configuration files because the maximum certificate validity period is too d**n short to manually update your server. (That was a show-stopper for me. I don't trust anybody modifying my insanely complex Apache config files, after several tools barfed horribly over the years.)
  
  As a result of that flawed design decision, they also made the design decision to cut corners and run it as root by default. That was also a show-stopper for me, and should be for anyone who is serious about security.
  The default behavior is fundamentally incompatible with key pinning (a recommended security practice) because it generates a new key every time it generates a new cert.
  The security horrors get deeper and deeper the further you dig, hence the reason I steered clear of it for years. But when the last free TLS cert provider other than LetsEncrypt got the axe (StartSSL), I finally concluded that I'd just have to close my eyes and think of England.
  I ended up creating a cron job that runs a pile of custom code wrapped around their manual updater (which bizarrely doesn't tell you the name of the cert file it just created—ick). It then updates a small crypto config file that gets imported from all the various parts of my main Apache config files. Nine months later, I'm still fixing integration issues, mostly stemming from permissions problems.
  By contrast, I used StartSSL (one of the registrars that is getting the axe here) for half a decade with no real problems. It was easy. Once a year, I requested a new cert. Five minutes later, I was done. It worked much better than LetsEncrypt, from my perspective.
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
4. Re:Good by guruevi · 2017-07-10 10:50 · Score: 1
  
  Sorry, but you are an idiot. There are plenty of alternative clients for the ACME protocol, plenty of them run without root access. I have never needed to run as root and the LE client also doesn't modify my web server configs. All the client does is update the certificate every so often and then tests the configuration before deploying it. It took me all of ~10 lines to get it to work the way I want it.
  Your Apache scripts shouldn't be so complex that they become un-editable, do you even know what they do?
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
5. Re:Good by fuzzyfuzzyfungus · 2017-07-10 12:52 · Score: 1
  
  The lesson of biology is that if you make your scripts complex enough; they'll start maintaining themselves. Upgrading, even. Exact behavior of upgrades not guaranteed.
6. Re:Good by cdwiegand · 2017-07-10 13:27 · Score: 2
  
  You're kidding, right? The certificate location doesn't change. Once you setup the certificate, you just run letsencrypt-auto renew once a week and when it's done do an apachectl reload. I run over a hundred websites across 10 servers and haven't had any issues integrating LE into my flow. I will admit I use nginx and not apache, but given that the path to the certificate, chain and key don't change and are all symlinks, I fail to see how it's "complicated".
  
  --
  . Define sqrt(x) as something really evil like (x / rand()), and bury it deep. Watch your coworkers go nuts.
7. Re:Good by darkain · 2017-07-10 15:20 · Score: 2
  
  The default client has command line options to simply output the cert to a file and NOT touch Apache or any other HTTPD at all. In fact, in my setup, I have a 100% dedicated VM for generating certs. It does nothing else. That's it. From there, the cert files are moved via SSH to their respective web servers. But in no way shape or form does the LetsEncrypt VM have any sort of access to any infrastructure to modify it at all.
8. Re:Good by Barefoot+Monkey · 2017-07-10 23:55 · Score: 1
  
  I was put off Let's Encrypt too, also purely because the letsencrypt program makes a severe mess of the system. However, there are many other ACME clients, and even letsencrypt.org itself no longer recommends letsencrypt (it recommends certbot at the moment, and also has around 73 other suggested clients if certbot isn't what you want).
9. Re:Good by DeadSea · 2017-07-11 03:04 · Score: 1
  
  It gets much more complicated once there is a load balancer involved. I end up redirecting the acme-challenge directory to a subdomain that gets hosted without a load balancer, generating the certificate there, and then having scripts push it to the load balancer.
  The other problem I have is that certbot is not idempotent. Certbot doesn't check if the deploy scripts actually succeed or not, it just assumes they did. If they didn't, they will never get called again. Just running certbot auto-renew is not enough. You have to compare locally available cert to the live installed cert to know if a deploy is needed.
  With all those extra check, it works, but it is several hundred lines of scripts.
10. Re:Good by dgatwood · 2017-07-11 04:42 · Score: 1
  
  Actually, certbot is the nightmare I was referring to.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
11. Re:Good by Barefoot+Monkey · 2017-07-11 06:33 · Score: 1
  
  Thanks, good to know. I haven't actually tried that one myself. I was planning to give Let's Encrypt another shot with some of the other clients, and happened to be looking through the list just before this story hit.
12. Re: Good by Brockmire · 2017-07-11 09:48 · Score: 1
  
  Wrong usage. You're an idiot.
13. Re:Good by x_t0ken_407 · 2017-07-11 14:49 · Score: 1
  
  Very interesting way of handling this. You just gave me an idea, thanks :)
Re:Goodbye by Anonymous Coward · 2017-07-10 09:35 · Score: 1

Let's be honest: You shouldn't trust a certificate issues by anyone other than yourself. You don't think the U.S. government has ever colluded with a CA to set up a MITM attack before?
Re:Who is like unto Google? by nnet · 2017-07-10 09:45 · Score: 1

like because like fema camps like have like nothing to do with like guillotines like.
Re:Who is like unto Google? by __aaclcg7560 · 2017-07-10 09:54 · Score: 1

like because like fema camps like have like nothing to do with like guillotines like.
The government routinely orders guillotines (paper cutters). If you print out your certificate, you can cut it up with an office guillotine.
What's the motive for wosign? by interkin3tic · 2017-07-10 10:04 · Score: 2

I don't know much about CAs. TFA says wosign issued bad certificates for github, and there were other issues. Is this incompetence or malice? Were they just overeager to sell certificates, are they catering to criminals, or is this likely to be some type of state-sponsored conspiracy to spy on secure websites?
1. Re:What's the motive for wosign? by freeze128 · 2017-07-10 10:57 · Score: 2
  
  Wosign was guilty of issuing certs for google.com. "It was only used in a test environment" was their excuse. Maybe it was, but it could have easily been used in public instead. It's shady practice, and for that, they will pay with their lives!
2. Re:What's the motive for wosign? by fuzzyfuzzyfungus · 2017-07-10 11:04 · Score: 1
  
  Unfortunately, one of the disadvantages of deviating from strictly correct behavior as a CA is that it makes it harder for people trying to figure out who the threat is to answer that question; and 'all of the above' benefit from those bad practices.
  
  If your approach to 'customer service' involves a willingness to forge certs for them; it may start with a few extra sales to admins trying to dodge deadlines; but criminals will have an obvious interest in someone willing to issue dodgy certs for a few extra sales. And if you already have a noise floor of private sector shady actors; that's attractive to governments looking to do something quietly and deniably.
  
  As a matter of intent; I wouldn't be at all surprised if it started out innocently enough, doing a little favor for someone who really, really needed that backdated cert to keep his creaky infrastructure up; but this isn't the sort of business where innocent mistakes get to stay innocent for long; so ultimately it doesn't really matter that much. There job was to be trustworthy; they aren't. Game over.
3. Re:What's the motive for wosign? by _merlin · 2017-07-10 15:06 · Score: 1
  
  That was Symantec issuing google.com certificates for their test environment, not WoSign. The thing everyone jumped on WoSign for was doing a customer a favour. Some significant Australian customer wasn't ready for SHA1 certificates being phased out and asked if WoSign could help them out. WoSign issued back-dated SHA1 certificates for the customer.
  IMO, Symantec was worse yet they haven't been punished anywhere near as hard, and the timing seemed rather "convenient" in that it coincided with the launch of Let's Encrypt. Free StartCom certificates won't be trusted any more. Who else are you going to get free certificates from now, buddy?
4. Re:What's the motive for wosign? by CRC'99 · 2017-07-10 16:16 · Score: 1
  
  The thing everyone jumped on WoSign for was doing a customer a favour. Some significant Australian customer wasn't ready for SHA1 certificates being phased out and asked if WoSign could help them out. WoSign issued back-dated SHA1 certificates for the customer.
  Yep - and I'm pretty sure we know who that customer was. There are still major institutions still using SHA1 certs internally - and if they get moved to newer ones by the end of the year then I'd be shocked. The reality is, this stinks of a scapegoat - the industry in question would face *MASSIVE* disruption for the everyday Australian because of the relatively quick move to higher level certs. A lot of these are still contained within embedded devices that cannot upgrade so easily.
  Instead, let's execute the CA for political reasons. Don't pretend its anything else.
  
  --
  Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
It's tied to the version? by Hognoxious · 2017-07-10 10:12 · Score: 1

Anyone else find it odd that the whitelist depends on the version? Like they hardcoded it?

--
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
1. Re:It's tied to the version? by radarskiy · 2017-07-10 12:56 · Score: 1
  
  How would you securely download the a list of CAs to trust without a list of CAs to trust?
Re:Goodbye by Anonymous Coward · 2017-07-10 10:20 · Score: 2, Insightful

Your position is actually a very reasonable. You don't know any of the certificate issuers. It is impossible for you to fully trust any of them. At most, you have some "policy" that supposedly tells you what some faceless corporation is doing.
Fortunately, people implemented solutions to this problem about a quarter century ago. "Moderately trust" your CAs. And if an identity is signed by (say) three moderately-trusted CAs then you consider it fairly trustworthy. You could even work in scoring rules for whether or not the CAs are jurisdictionally diverse enough. (e.g. If a Chinese signer and a US government signer and a French signer all agree, then either it's correct, or you are up against a conspiracy so massive that you'd never beat it anyway.)
What's the probability that someone is up to something naughty? Some fraction. Now raise that fraction to some more-than-1 power, say the third power. That's how trickable you'd be, if we used modern PK tech, like what PGP has.
Re:Doesn't address the biggest problems by duke_cheetah2003 · 2017-07-10 10:39 · Score: 1

It's the browsers that got us in the mess we're in. Browsers do the wrong thing with TLS in almost every situation.
We have really good crypto algorithms and protocols, and the implementations we have are confusing, misleading, and negate a lot of that functionality.
Pretty sure what you're describing has nothing to do with browsers. TLS is governed by the server, not the browser. Server dictates what crypto methods and hashing methods are permitted to be used. Browser has to comply with the server or get lost.
Re:*.google.com by duke_cheetah2003 · 2017-07-10 10:43 · Score: 1

Us lowly commoners have to pay someone to sign our certs.
I don't pay for my cert. Let's Encrypt is free.
Re:Goodbye by sexconker · 2017-07-10 10:57 · Score: 2

Why anyone should trust any cert not issued by a cert authority they personally control or vet and trust is beyond me.
The whole CA game is about a half step more legitimate than the TSA.
Google Guillotine? by drinkypoo · 2017-07-10 11:18 · Score: 4, Funny

Oh great, another Google service that will probably be cancelled within a year

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
List of Issues by Lightn · 2017-07-10 12:17 · Score: 1

It wasn't just a few bad certs, there was a whole set of issues. Here is Mozilla's list: https://wiki.mozilla.org/CA:Wo...
Check out issue N, it is particularly bad.
Re:Goodbye by known_coward_69 · 2017-07-10 13:13 · Score: 1

we're nerd laughing with you
WoSign's issues not just political... by Sits · 2017-07-10 17:54 · Score: 2
The thing everyone jumped on WoSign for was doing a customer a favour. Some significant Australian customer wasn't ready for SHA1 certificates being phased out and asked if WoSign could help them out. WoSign issued back-dated SHA1 certificates for the customer.
Yep - and I'm pretty sure we know who that customer was. There are still major institutions still using SHA1 certs internally - and if they get moved to newer ones by the end of the year then I'd be shocked. The reality is, this stinks of a scapegoat - the industry in question would face *MASSIVE* disruption for the everyday Australian because of the relatively quick move to higher level certs. A lot of these are still contained within embedded devices that cannot upgrade so easily.
Instead, let's execute the CA for political reasons. Don't pretend its anything else.
Looking through the list on Mozilla's list of WoSign Issues it looks like WoSign not just issued
- long lived SHA1 certs
- identical certs other than the notbefore date
- certs with identical serials
- certs that violate the "Baseline Requirements"
- certs using unapproved cryptographic settings
but their setup also violated a number of other best practices and security measures too (such as unpatched servers). However I'll note that on the political front folks were unhappy that the Startcom acquisition wasn't made public earlier. Outside that though there are a lot of different technical complaints.
CA's have been dropped in the past for non-political problems (see DigiNotar) so I don't think it's fair to attribute WoSign's woes to purely political motivations as you alleged.
1. Re:WoSign's issues not just political... by CRC'99 · 2017-07-13 00:40 · Score: 1
  
  But did you notice that most listings there are "its not against the rules - but we don't like it anyway".
  Yes, there have been some screwups, bugs and other problems that they seem to have fixed - but show me one CA that hasn't had a number of issues in their history...
  
  --
  Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
This really sucks for StartSSL customers by DeadSea · 2017-07-11 01:10 · Score: 1
This really sucks for customers of StartCom (StartSSL):
- Your website suddenly stops working with no warning.
- There is no equivalent alternative to StartSSL
Basically Google (and to a lesser extent Firefox) have handled this really badly. I found out about this issue when I got a new certificate and it wouldn't work: StartSSL certificate gives SEC_ERROR_REVOKED_CERTIFICATE in Firefox and ERR_CERT_AUTHORITY_INVALID in Chrome
- The browser error messages are cryptic and inconsistent. None of them say what the problem actually is. None of them offer links to the blog posts or bugs announcing the revocation. The only way to figure out the issue is through searching.
- Google is killing existing certificates without making any attempt to contact webmasters. Google should be putting alerts in Google Search Console for every site that will be brought down by this change. At least Firefox limited the scope such that all existing certificates were grandfathered in.
StartSSL was the only certificate authority at its price point. You didn't have to pay by the certificate. You didn't have to pay for the automated process by which you validated ownership of domains. You only paid for validations of who you are and who your company is. Once you were validated, you could issue as many certificates as you wanted for any domains you own. For a flat fee of $200 per year, I could get all the certificates I needed.
The only alternative that I have been able to find is LetsEncrypt. While it is completely free it has some major disadvantages:
- LetsEncrypt doesn't offer wildcard certificates. I have a domain with about 60 subdomains. The lack of wildcard really hurts for me here.
- LetsEncrypt only offers the most basic level 1 certificates. They only validate that you have control over your domain. They don't offer level 2 that validates who you are. They don't offer level 3 that validates who your company is. They don't offer the level 4 extended company validations that give the green bar in browsers.
1. Re:This really sucks for StartSSL customers by amorsen · 2017-07-11 02:20 · Score: 1
  
  You got taken by scammers. Sucks to be you. However, you can't expect the rest of the world to let the scammers continue, despite the inconvenience it is for you.
  
  --
  Finally! A year of moderation! Ready for 2019?
2. Re: This really sucks for StartSSL customers by bn-7bc · 2017-07-11 04:19 · Score: 1
  
  Well LetsEncrypt are rolling out wildcard certificates soon iirc