Sign in

Mozilla wants woeful WoSign certs off the list

Backdating SHA-1 certs is just not on

Richard Chirgwin Tue 27 Sep 2016 // 03:58 UTC

Mozilla wants to kick Chinese certificate authority (CA) WoSign out of its trust program.

As well as being worried about the certs issued by WoSign, Mozilla accuses the company of buying another CA, StartCom, without telling anyone.

In this lengthy analysis posted to Google Docs, Mozilla says its certificate wonks have "... lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA."

That investigation follows on from a huge number of issues Mozilla outlines here.

Those issues include WoSign's notorious error of issuing a cert for GitHub to a university student.

The Mozilla engineers' report revolves around SHA-1 certificates. SHA-1 has been regarded as insecure for years and is therefore being deprecated by all major browsers.

As part of its deprecation process, Mozilla treats new SHA-1 certs as invalid unless the issuing CA completes an approval process – and the report says both WoSign and StartCom fudged the process by backdating new SHA-1s to make it seem they were issued before the January 1, 2016 ban.

It accuses WoSign of acquiring Israeli StartCom without disclosing the change of ownership, which “which we believe violates section 5 of the Mozilla CA Certificate Maintenance Policy”.

Although its media release says StartCom remains independent of WoSign, Mozilla says the former is using the latter's infrastructure to issue certs.

As an example of the backdating, Mozilla's investigation documents certificates issued to Australian payments processor Tyro. It nominates a StartCom SHA-1 certificate logged into Google's Certificate Transparency project in June this year, but which Mozilla believes was backdated by StartCom.

The Register has tried to contact Tyro about this certificate.

There's also a smackdown for WoSign's auditors, the Hong Kong office of Ernst & Young, which is says “failed to detect multiple issues they should have detected”.

Mozilla says it wants to “distrust only newly-issued certificates to try and reduce the impact on web users, as both of these CA brands have substantial outstanding certificate corpuses”.

Mozilla is seeking public comment on the issue, in particular to help decide when to implement its proposed ban, and whether WoSign or StartCom need to create new roots before they re-apply to be trusted again.

Interestingly, WoSign issued a media release in China (you'll need Google Translate for this link) at the beginning of last week, announcing it completed its equity investment in StartCom on September 19. ®

23 Comments

Other stories you might like

  • Apple dev logs suggest 'nine new M2-powered Macs'
    'Widespread internal testing' of four processor types
    Katyanna Quach Sat 16 Apr 2022 // 07:53 UTC

    Apple is seemingly testing four next-generation M2 processors on software developed by third-party app makers in at least nine Mac models that are likely to be upcoming laptops and desktops.

    Two years ago, the iGiant debuted its homegrown Arm-compatible M1 processor to power computers and iPads; the shift marked a departure from using x86 Intel silicon for its PCs. Instead of purchasing off-the-shelf processors, Apple – which was already designing its own mobile system-on-chips – wanted a custom design for its macOS products.

    Now it appears the M1's successor, the M2, is edging closer to launch, judging from developer logs leaked to Bloomberg that signal there is "widespread internal testing" of the chip family at Apple.

    Continue reading
  • Twitter preps poison pill to preclude Elon Musk's purchase plan
    Populist provocateur ponders partners to pay for platform prize
    Thomas Claburn in San Francisco Sat 16 Apr 2022 // 01:14 UTC

    Comment Twitter on Friday said its board of directors had unanimously approved a plan to prevent a hostile takeover, something that became a distinct possibility after billionaire Elon Musk offered $43 billion to buy the social media network.

    The poison pill, or "Rights Plan," the biz said, "will reduce the likelihood that any entity, person or group gains control of Twitter through open market accumulation without paying all shareholders an appropriate control premium or without providing the Board sufficient time to make informed judgments and take actions that are in the best interests of shareholders."

    The "Rights Plan" would require Musk to negotiate directly with the board to increase his share of the company beyond 15 percent. After that every existing shareholder, with the exception of Musk, would be able to buy Twitter stock at a discounted rate.

    Continue reading
  • Feds offer $5m reward for info on North Korean cyber crooks
    Meanwhile: Caltech grad earns five years in prison for heping Kim's coders
    Jessica Lyons Hardcastle Fri 15 Apr 2022 // 23:24 UTC

    The US government offered a reward up to $5 million for information that helps disrupt North Korea's cryptocurrency theft, cyber-espionage, and other illicit state-backed activities.

    The cash will be awarded "for information that leads to the disruption of financial mechanisms of persons engaged in certain activities that support North Korea, including money laundering, exportation of luxury goods to North Korea, specified cyber-activity and actions that support WMD proliferation," according to the Feds.

    This includes "information on those who seek to undermine cybersecurity, including financial institutions and cryptocurrency exchanges around the world, for the benefit of the Government of North Korea."

    Continue reading

Biting the hand that feeds IT © 1998–2022

Cookies Privacy Ts&Cs