Re: WoSign and StartCom situation possible misreporting by Feist Duck

2016-09-30 Thread Hanno Böck
On Fri, 30 Sep 2016 15:17:49 +0200
Jakob Bohm  wrote:

> The Feisty Duck "Bulletproof TLS Newsletter" sent out yesterday seems
> to slightly misreport the WoSign/StartCom situation, as it claims the
> distrust has already been "finally decided", rather than just
> proposed.

Hi,

I'm sorry for that... We have updated the online version of the
newsletter to better reflect the situation:
https://www.feistyduck.com/bulletproof-tls-newsletter/issue_20_mozilla_and_wosign_comodo_sb_and_tc_certificates.html

Here's the relevant changed chapter:

Mozilla now proposes that new certificates from WoSign and StartCOM
should no longer be trusted in their browser. They could reapply for
browser inclusion in a year under certain conditions. Existing
certificates would still be trusted. This would theoretically allow
WoSign to create backdated certificates, however Mozilla announced that
if they saw any evidence of this they would immediately distrust all
Wosign/StartCOM certificates.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42


pgpMGrjRolhgu.pgp
Description: OpenPGP digital signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


WoSign and StartCom situation possible misreporting by Feist Duck

2016-09-30 Thread Jakob Bohm

The Feisty Duck "Bulletproof TLS Newsletter" sent out yesterday seems
to slightly misreport the WoSign/StartCom situation, as it claims the
distrust has already been "finally decided", rather than just proposed.

Below is a copy of the (text version) of the relevant portion of the
newsletter:

Mozilla no longer trusts WoSign and StartCOM
==

The certificate authority WoSign came under fire for various security
incidents. Gervase Markham from Mozilla started the debate with an
email to Mozilla's security policy mailing list
https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/mKSMaz9eCgAJ 
..

Someone was able to generate a certificate for github.io by controlling
a subdomain
https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-certificate-for-github-com. 


For some time it was possible to generate certificates by controlling
unprivileged port numbers.

In a third incident it was possible to generate SHA-1-signed
certificates, which happened through the certificate issuance system
from StartCom, indicating that the two companies share parts of their
infrastructure. It later turned out that Wosign had backdated several
certificates in order to circumvent the SHA-1 ban starting January this
year.

During the debate several further issues came up
https://wiki.mozilla.org/CA:WoSign_Issues and a former employee of
StartCom claimed that WoSign is now the sole owner of StartCom. This
was later confirmed by investigations from Mozilla
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/0pqpLJ_lCJQ 
..


Mozilla finally decided that new certificates from WoSign and StartCOM
would no longer be trusted in their browser
https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/preview 
..

They can reapply for browser inclusion in a year under certain
conditions. Existing certificates will still be trusted. This
theoretically allows WoSign to create backdated certificates, however
Mozilla announced that if they see any evidence of this they will
immediately distrust all Wosign/StartCOM certificates.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy