Richard, Did you communicate to your customers over the last 6 months that their existing certificates may become distrusted? Or did they find out when their sites stopped working in Chrome?
On Friday, April 28, 2017 at 4:19:01 AM UTC-4, Richard Wang wrote: > Hi Ryan, > > > > For your question “Do you believe that, during the discussions about how to > respond to WoSign's issues, the scope of impact was underestimated?”, the > answer is YES. > > > > After Oct 21 2016, WoSign stopped to issue SSL certificates from WoSign root > (to be exactly, maybe few in October, but all replaced), we know our > customers don’t accept the problem of interoperability and compatibility > failures, so we cooperated with other Trusted CAs to sell their certificates > to our customers since Nov 21 2016, to replace the affected SSL certificates > and code signing certificates for our charged customers for FREE, to renew > and order certificates for current customers and new customers to keep our > business continuity till we have our own new trusted roots. > > > > WoSign appreciated Mozilla’s decision: trust the certificates that issued > before Oct 20 2016, and similarly rule for Apple and Microsoft, and we also > promised to our customers for this, this decision don’t bring any troubles to > our issued certificate customers, very good. > > > > But Google start to distrust WoSign certificates unless the site is in the > Alexa Top 1M site list since Chrome 57, this bring many problems to us and to > our customers, to provide best service to our customers, we provide FREE > replacement for our charged customers that we must pay the cost to the > Partner (Trusted CA). Till now, we replaced 596 certificates for our > customers for free, and there are 97 orders ask for refund instead of > replacement. This Google decision’s problem is some big websites used a > domain that not listed in Alexa 1M suffered disruption, for example, Qihoo > 360’s search site and online gaming sites used a domain in CDN for pictures > that not listed in Top 1M, there are more than 500M users suffered the > untrusted warning and 360 need to replace the certificates for thousands of > servers. > > > > The problem also come from the WoSign Root CA pinned for some payment gateway > from online payment service providers and from some online banking APPs, even > we replaced the certificate for them for free, they need to update the > gateway/API software to accept the new trusted root, and need to update the > bank APP to recognize the new certificate and new root, this is terrible that > all those customers curse us and very angry. > > > > For affected 2417 Code Signing certificates, there are many customers signed > the code, but distrusted by Microsoft that customers ask for full refund and > need to buy the new code signing cert from other CA that need to sign the > software again that installed in billions system, this is also a disaster to > customers and its software users. > > We can’t image the result in the future for “In subsequent Chrome releases, > these exceptions will be reduced and ultimately removed, culminating in the > full distrust of WoSign”, this means all WoSign issued SSL certificates in > the last three years need to be replaced, including the 2845 valid > certificates for Microsoft Azure and Office 365 that Microsoft Sumedh said > “any outage of an Azure service that lasts more than a few minutes gets > escalated to our executives.” > > The total valid SSL certificates is 173,886, and the charged valid > certificates is 10,368 that we need to pay money to other CA for free > replacement (if US$100 per certificate, the total cost is over US$ One > Million!), I think this is not only money problem, but it also will bring > huge work to us and to our customers to replace the certificate. This is the > next BIG disaster if Chrome distrust all WoSign certificates that issued > before Oct. 20 2016. > > > > So, I wish Google can reconsider the plan that change to distrust all WoSign > issued free SSL certificates, but keep to trust the charged one (DV SSL/IV > SSL/OV SSL/EV SSL) that don’t have any mis-issuance problem, those charged > certificates is used for many big eCommerce websites, many government > websites, many bank systems, many securities systems, many cloud service > providers like Azure that used by the world biggest companies. Thanks. > > > > So, this is why I said some words for Symantec to let browsers to consider > the distrust result seriously. The Web Ecosystem players not just browsers, > but also the CAs, and also the website owners (certificate subscribers), we > all have the responsibility for the global Internet security, but we need to > balance all related party’s benefit and negotiate an acceptable solution for > any problem that happened. > > Thanks. > > > > Best Regards, > > > > Richard > > > > From: Ryan Sleevi [mailto:r...@sleevi.com] > Sent: Thursday, April 27, 2017 8:38 PM > To: Richard Wang <rich...@wosign.com> > Cc: Steve Medin <steve_me...@symantec.com>; > mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Symantec Conclusions and Next Steps > > > > Hi Richard, > > > > On Thu, Apr 27, 2017 at 6:13 AM, Richard Wang via dev-security-policy > <dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>> > wrote: > > I like to share the experience we suffered from distrust, it is disastrous > for CA and its customers to replace the certificate that exceed your > imagination that we are still working for this since October 2016 that nearly > six months now. > > > > Yes, when an organization demonstrates its willingness to be operated in a > non-trustworthy manner, knowingly and with actively deceptive processes, it > can be very difficult for them to regain trust. > > > > > Due to the quantity of Symantec customers is more than WoSign and most > companies are bigger than WoSign's customers, I am sure that the > interoperability and compatibility failures could bring big problem to > Symantec, to Symantec customers and the Browser users. > > > > Do you believe that, during the discussions about how to respond to > WoSign's issues, the scope of impact was underestimated? If so, can you share > how? That might be a more productive and fruitful contribution, if people > trust the response. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
