Re: Incidents involving the CA WoSign

2016-09-07 Thread Jozef Izso 
Richard, why the report does not mention that the list of certs issued using 
high port validation is not complete and that you cannot properly find all the 
relevant information in your system?

> On 7. 9. 2016, at 4:08, Richard Wang  wrote:
> 
> We checked our system that this order is finished the website control 
> validation correctly. No any mistake.
> 
> Why this is not listed in the report list? This order is year 2015 order, 
> this is the event of 17 months ago, we can't find the info what port is used, 
> our CMS system just record this order is validated by website control 
> validation method, not record the used port at that time.
> 
> Why we can find out other 72 certificate? We try to search every validation 
> process evidence in many systems to analyze the related log to catch the 
> info. I can't guarantee all high port validation order are listed in the 
> report, but as we said in the report, each certificate is properly validated 
> using high port.
> 
> 
> Best Regards,
> 
> Richard
> 
> -Original Message-
> From: Julian Brost [mailto:jul...@0x4a42.net] 
> Sent: Wednesday, September 7, 2016 12:06 AM
> To: Richard Wang ; Gervase Markham ; 
> dev-security-policy@lists.mozilla.org
> Subject: Re: Incidents involving the CA WoSign
> 
> Hi,
> 
> section 1.4. Impact Analytics in the report contains a list of 72 
> certificates, for which the domain validation was done on a high port.
> 
> On 2015-04-20 I have obtained a certificate for a domain name that I 
> validated using port 8080 but that certificate is not listed in the report. 
> This is the certificate: https://crt.sh/?id=30335331
> 
> It seems like the certificate was posted to the CT logs by WoSign (at least I 
> never used the certificate anywhere) but not on August 26th like the other 
> certs and as stated in the report.
> 
> So I have doubts about the report and it really should be investigated why 
> this certificate is missing in the report.
> 
> Regards,
> Julian Brost
> 
>> On 04.09.2016 11:49, Richard Wang wrote:
>> Hi all,
>> 
>> We finished the investigation and released the incidents report today: 
>> https://www.wosign.com/report/wosign_incidents_report_09042016.pdf
>> 
>> This report has 20 pages, please let me if you still have any questions, 
>> thanks.
>> 
>> This report is just for Incident 0-2, we will release a separate report for 
>> another incident X soon.
>> 
>> 
>> Best Regards,
>> 
>> Richard Wang
>> CEO
>> WoSign CA Limited
>> 
>> 
>> -Original Message-
>> From: Gervase Markham [mailto:ge...@mozilla.org]
>> Sent: Wednesday, August 24, 2016 9:08 PM
>> To: mozilla-dev-s...@lists.mozilla.org
>> Cc: Richard Wang 
>> Subject: Incidents involving the CA WoSign
>> 
>> Dear m.d.s.policy,
>> 
>> Several incidents have come to our attention involving the CA "WoSign".
>> Mozilla is considering what action it should take in response to these 
>> incidents. This email sets out our understanding of the situation.
>> 
>> Before we begin, we note that Section 1 of the Mozilla CA Certificate 
>> Enforcement Policy[0] says: "When a serious security concern is noticed, 
>> such as a major root compromise, it should be treated as a 
>> security-sensitive bug, and the Mozilla Policy for Handling Security Bugs 
>> should be followed." It is clear to us, and appears to be clear to other CAs 
>> based on their actions, that misissuances where domain control checks have 
>> failed fall into the category of "serious security concern".
>> 
>> Incident 0
>> --
>> 
>> On or around April 23rd, 2015, WoSign's certificate issuance system for 
>> their free certificates allowed the applicant to choose any port for 
>> validation. Once validation had been completed, WoSign would issue 
>> certificates for that domain. A researcher was able to obtain a certificate 
>> for a university by opening a high-numbered port (>50,000) and getting 
>> WoSign to use that port for validation of control.
>> 
>> This problem was reported to Google, and thence to WoSign and resolved.
>> Mozilla only became aware of it recently.
>> 
>> * Before the recent passage of Ballot 169 in the CAB Forum, which limits the 
>> ports and paths which can be used, the Baseline Requirements said that one 
>> acceptable method of domain validation was "Having the Applicant demonstrate 
>> practical control over the FQDN by making an agreedā€upon change to 
>> information found on an online Web page identified by a uniform resource 
>> identifier containing the FQDN". This method therefore did not violate the 
>> letter of the BRs. However, Mozilla considers the basic security knowledge 
>> that ports over 1024 are unprivileged should have led all CAs not to accept 
>> validations of domain control on such ports, even when not documented in the 
>> BRs.
>> 
>> * The misissuance incident was not reported to Mozilla by WoSign as it 
>> should have been (see above).
>> 
>> *

Re: Incidents involving the CA WoSign

2016-08-31 Thread jozef . izso 
As an admin I want to check the WoSign Issuer Policy provided by their "WoSign 
CA Free SSL Certificate G2" certificate.

Issuer Policy is linked to http://www.wosign.com/policy/
This page shows the source code instead of actual policy.

<% Dim strAcceptLanguage 
strAcceptLanguage=Request.ServerVariables("HTTP_ACCEPT_LANGUAGE") 
'response.write strAcceptLanguage if instr(strAcceptLanguage,"zh")>0 then 
Response.Redirect "cps.htm" else Response.Redirect "cps_e.htm" end if %>

WoSign does not look like trust worthy CA. Unfortunately their certificates are 
trusted because the StartCom CA is trusted by OS.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy