Jump to content

Security Certificate - Think it works?


Teken

Recommended Posts

Posted

In the world that we all live in the bulk of what we do is based on the *Honor System*. Where by many aspects of life, business, and relationships are based on being honest, doing what's right, and following rules / laws outlined by the people.

 

With so many things in the computer world many if not all of these security features we have come to rely upon is truly up to the companies / Governments in doing the right thing. Below is one of many examples of how the common security certificate can be abused and misused.

 

Good on Mozilla / Fire Fox putting this company on blast . . .

 

 

Firefox maker Mozilla plans to distrust new digital certificates from WoSign, the Chinese certificate authority (CA) that issued bogus HTTPS certificates for GitHub.

 

Mozilla has also proposed ousting Israel-based CA StartCom, which WoSign acquired in November 2015 but of which it has, for some reason, denied ownership.

"Mozilla's CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA. Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands," Mozilla said in a report published on Monday.

The proposed ban on both CAs' newly-issued certificates is for a one-year period. After that they must reapply to join Mozilla's trust program. Mozilla has also denied WoSign's request for it maintain trusted for newly-issued certificates in China.

To minimize impact on web users, Mozilla will continue trusting existing certificates since "both of these CA brands have substantial outstanding certificate corpuses".

Mozilla's investigation followed a controversy over WoSign mis-issuing a certificate for a subdomain of the hugely popular code repository GitHub.

That act is considered a major security risk because an attacker could have used that certificate to impersonate GitHub's website and spy on users' communications. This failure occurred after Dutch CA DigiNotar was breached, resulting in bogus certificates for Google domains that were used to eavesdrop on Iranian citizens.

However, Mozilla's report focuses on WoSign "intentionally back-dating certificates to avoid blocks on SHA-1 issuance in browsers, having qualified audits and/or being caught violating the CAB Forum Baseline requirements".

 

Back-dating certificates would undermine one of the key measures browser makers have for ensuring trust on the internet. All browser makers have agreed to deprecate certificates signed with the SHA-1 hash algorithm and move to the stronger SHA-256.

SHA-1 is considered vulnerable to cryptographic collisions that would allow an attacker to forge a signature.

Microsoft stopped using the address bar lock icon for these SHA-1 signed certificates in Edge and Internet Explorer with the recent Windows 10 Anniversary Update. In February next year Microsoft will be blocking these certificates in both browsers.

CAs were also supposed to have stopped issuing new SHA-1 certificates from January 1, 2016, but Mozilla said it discovered 62 WoSign SHA-1 certificates that were back-dated to appear as if they were issued in December 2015.

The other reason for distrusting WoSign is because it allegedly breached Mozilla's requirement that a change in ownership of a CA needs to be disclosed. Mozilla says that WoSign "directly denied" the change shortly after the acquisition, said to have occurred on November 1, 2015.

WoSign recently described its relationship with StartCom as a "100 percent equity investment" in StartCom, suggesting the two companies operate independently. However, Mozilla said it found evidence that shortly after the acquisition, "StartCom issuances switched to using WoSign's infrastructure".

If Mozilla follows through with the proposal, WoSign will need to undergo a security audit of its issuing infrastructure from an auditor selected by Mozilla. It will also need to implement Google's Certificate Transparency framework.

Mozilla said it will no longer accept audits from WoSign's auditor, the Hong Kong unit of Ernst & Young, which it said had failed to detect multiple issues.

 

Posted

In the world that we all live in the bulk of what we do is based on the *Honor System*. Where by many aspects of life, business, and relationships are based on being honest, doing what's right, and following rules / laws outlined by the people.

 

With so many things in the computer world many if not all of these security features we have come to rely upon is truly up to the companies / Governments in doing the right thing. Below is one of many examples of how the common security certificate can be abused and misused.

 

Good on Mozilla / Fire Fox putting this company on blast . . .

It just shows it's time to drop the CA-based trust model and adopt DANE...

 

https://en.m.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities

 

Sent from my SM-N910W8 using Tapatalk

  • 2 weeks later...
Posted

I actually use a wildcard cert purchased from startcom, they were very hands on with authenticating, received a phone call in fact, and that made me very suspect.   

 

Short story, I did it anyway.

 

I'll have to research this later this weekend.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...