Hi Ryan,


For your question “Do you believe that, during the discussions about how to 
respond to WoSign's issues, the scope of impact was underestimated?”, the 
answer is YES.



After Oct 21 2016, WoSign stopped to issue SSL certificates from WoSign root 
(to be exactly, maybe few in October, but all replaced), we know our customers 
don’t accept the problem of interoperability and compatibility failures, so we 
cooperated with other Trusted CAs to sell their certificates to our customers 
since Nov 21 2016, to replace the affected SSL certificates and code signing 
certificates for our charged customers for FREE, to renew and order 
certificates for current customers and new customers to keep our business 
continuity till we have our own new trusted roots.



WoSign appreciated Mozilla’s decision: trust the certificates that issued 
before Oct 20 2016, and similarly rule for Apple and Microsoft, and we also 
promised to our customers for this, this decision don’t bring any troubles to 
our issued certificate customers, very good.



But Google start to distrust WoSign certificates unless the site is in the 
Alexa Top 1M site list since Chrome 57, this bring many problems to us and to 
our customers, to provide best service to our customers, we provide FREE 
replacement for our charged customers that we must pay the cost to the Partner 
(Trusted CA). Till now, we replaced 596 certificates for our customers for 
free, and there are 97 orders ask for refund instead of replacement. This 
Google decision’s problem is some big websites used a domain that not listed in 
Alexa 1M suffered disruption, for example, Qihoo 360’s search site and online 
gaming sites used a domain in CDN for pictures that not listed in Top 1M, there 
are more than 500M users suffered the untrusted warning and 360 need to replace 
the certificates for thousands of servers.



The problem also come from the WoSign Root CA pinned for some payment gateway 
from online payment service providers and from some online banking APPs, even 
we replaced the certificate for them for free, they need to update the 
gateway/API software to accept the new trusted root, and need to update the 
bank APP to recognize the new certificate and new root, this is terrible that 
all those customers curse us and very angry.



For affected 2417 Code Signing certificates, there are many customers signed 
the code, but distrusted by Microsoft that customers ask for full refund and 
need to buy the new code signing cert from other CA that need to sign the 
software again that installed in billions system, this is also a disaster to 
customers and its software users.

We can’t image the result in the future for “In subsequent Chrome releases, 
these exceptions will be reduced and ultimately removed, culminating in the 
full distrust of WoSign”, this means all WoSign issued SSL certificates in the 
last three years need to be replaced, including the 2845 valid certificates for 
Microsoft Azure and Office 365 that Microsoft Sumedh said “any outage of an 
Azure service that lasts more than a few minutes gets escalated to our 
executives.”

The total valid SSL certificates is 173,886, and the charged valid certificates 
is 10,368 that we need to pay money to other CA for free replacement (if US$100 
per certificate, the total cost is over US$ One Million!), I think this is not 
only money problem, but it also will bring huge work to us and to our customers 
to replace the certificate. This is the next BIG disaster if Chrome distrust 
all WoSign certificates that issued before Oct. 20 2016.



So, I wish Google can reconsider the plan that change to distrust all WoSign 
issued free SSL certificates, but keep to trust the charged one (DV SSL/IV 
SSL/OV SSL/EV SSL) that don’t have any mis-issuance problem, those charged 
certificates is used for many big eCommerce websites, many government websites, 
many bank systems, many securities systems, many cloud service providers like 
Azure that used by the world biggest companies. Thanks.



So, this is why I said some words for Symantec to let browsers to consider the 
distrust result seriously. The Web Ecosystem players not just browsers, but 
also the CAs, and also the website owners (certificate subscribers), we all 
have the responsibility for the global Internet security, but we need to 
balance all related party’s benefit and negotiate an acceptable solution for 
any problem that happened.

Thanks.



Best Regards,



Richard



From: Ryan Sleevi [mailto:r...@sleevi.com]
Sent: Thursday, April 27, 2017 8:38 PM
To: Richard Wang <rich...@wosign.com>
Cc: Steve Medin <steve_me...@symantec.com>; 
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Symantec Conclusions and Next Steps



Hi Richard,



On Thu, Apr 27, 2017 at 6:13 AM, Richard Wang via dev-security-policy 
<dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>>
 wrote:

   I like to share the experience we suffered from distrust, it is disastrous 
for CA and its customers to replace the certificate that exceed your 
imagination that we are still working for this since October 2016 that nearly 
six months now.



   Yes, when an organization demonstrates its willingness to be operated in a 
non-trustworthy manner, knowingly and with actively deceptive processes, it can 
be very difficult for them to regain trust.




   Due to the quantity of Symantec customers is more than WoSign and most 
companies are bigger than WoSign's customers, I am sure that the 
interoperability and compatibility failures could bring big problem to 
Symantec, to Symantec customers and the Browser users.



   Do you believe that, during the discussions about how to respond to WoSign's 
issues, the scope of impact was underestimated? If so, can you share how? That 
might be a more productive and fruitful contribution, if people trust the 
response.

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to