Google drops the boom on WoSign, StartCom certs for good

(credit: Michael Rosenstein)

Last August, after being alerted by GitHub's security team that the certificate authority WoSign had errantly issued a certificate for a GitHub domain to someone other than GitHub, Google began an investigation in collaboration with the Mozilla Foundation and a group of security professionals into the company's certificate issuance practices. The investigation uncovered a pattern of bad practices at WoSign and its subsidiary StartCom dating back to the spring of 2015. As a result, Google moved last October to begin distrusting new certificates issued by the two companies, stating "Google has determined that two CAs, WoSign and StartCom, have not maintained the high standards expected of CAs and will no longer be trusted by Google Chrome."

WoSign (based in Shenzen, China) and StartCom (based in Eliat, Israel) are among the few low-cost certificate providers who've offered wildcard certificates. StartCom's StartSSL offers free Class 1 certificates, and $60-per-year wildcard certificates—allowing the use of a single certificate on multiple subdomains with a single confirmation. This made the service wildly popular. But bugs in WoSign's software allowed a number of misregistrations of certificates. One bug allowed someone with control of a subdomain to claim control of the whole root domain for certificates. The investigation also found that WoSign was backdating the SSL certificates it issued to get around the deadline set for certificate authorities to stop issuing SHA-1 SSL certificates by January 1, 2016. WoSign continued to issue the less secure SHA-1 SSL certificates well into 2016.

Initially, Google only revoked trust for certificates issued after October 21, 2016. But over the past six months, Google has walked that revocation back further, only whitelisting certificates for domains from a list based on Alexa's top one million sites. But today, Google announced that it would phase out trust for all WoSign and StartCom certificates with the release of Chrome 61. That release, about to be released for beta testing, will be fully released in September.

Read 1 remaining paragraphs | Comments

HTTPS Certificate Revocation is broken, and it’s time for some new tools

Enlarge / Damn computer hackers, always trying to steal all my stuff. (credit: Getty Images / C.J. Burton)

This article was originally published on Scott Helme's blog and is reprinted here with his permission.

We have a little problem on the web right now and I can only see it becoming a larger concern as time goes by: more and more sites are obtaining certificates, vitally important documents needed to deploy HTTPS, but we have no way of protecting ourselves when things go wrong.

Certificates

We're currently seeing a bit of a gold rush for certificates on the Web as more and more sites deploy HTTPS. Beyond the obvious security and privacy benefits of HTTPS, there are quite a few reasons you might want to consider moving to a secure connection that I outline in my article Still think you don't need HTTPS?. Commonly referred to as "SSL certificates" or "HTTPS certificates", the wider Internet is obtaining them at a rate we've never seen before in the history of the web. Every day I crawl the top one million sites on the Web and analyze various aspects of their security and every 6 months I publish a report. You can see the reports here, but the main result to focus on right now is the adoption of HTTPS.

Not only are we continuing to deploy HTTPS, the rate at which we're doing so is increasing, too. This is what real progress looks like. The process of obtaining a certificate has become more and more simple over time and now, thanks to the amazing Let's Encrypt, it's also free to get them. Put simply, we send a Certificate Signing Request (CSR) to the Certificate Authority (CA) and the CA will challenge us to prove our ownership of the domain. This is usually done by setting a DNS TXT record or hosting a challenge code somewhere on a random path on our domain. Once this challenge has been satisfied the CA it issues the certificate and we can then present it to visitors' browsers and get the green padlock and "HTTPS" in the address bar.

Read 45 remaining paragraphs | Comments

Firefox ready to block certificate authority that threatened Web security

Enlarge

The organization that develops Firefox has recommended the browser block digital credentials issued by a China-based certificate authority for 12 months after discovering it cut corners that undermine the entire transport layer security system that encrypts and authenticates websites.

The browser-trusted WoSign authority intentionally back-dated certificates it has issued over the past nine months to avoid an industry-mandated ban on the use of the SHA-1 hashing algorithm, Mozilla officials charged in a report published Monday. SHA-1-based signatures were barred at the beginning of the year because of industry consensus they are unacceptably susceptible to cryptographic collision attacks that can create counterfeit credentials. To satisfy customers who experienced difficulty retiring the old hashing function, WoSign continued to use it anyway and concealed the use by dating certificates prior to the first of this year, Mozilla officials said. They also accused WoSign of improperly concealing its acquisition of Israeli certificate authority StartCom, which was used to issue at least one of the improperly issued certificates.

"Taking into account all the issues listed above, Mozilla's CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA," Monday's report stated. "Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly issued certificates issued by either of these two CA brands."

Read 10 remaining paragraphs | Comments

800-pound Comodo tries to trademark upstart rival’s “Let’s Encrypt” name

(credit: wbeem)

Comodo, the world's biggest issuer of browser-trusted digital certificates for websites, has come under fire for registering trademarks containing the words "let's encrypt," a phrase that just happens to be the name of a nonprofit project that provides certificates for free.

In a blog post, a Let's Encrypt senior official said Comodo has filed applications with the US Patent and Trademark Office for at least three such trademarks, including "Let's Encrypt," "Let's Encrypt with Comodo," and "Comodo Let's Encrypt." Over the past few months, the nonprofit has repeatedly asked Comodo to abandon the applications, and Comodo has declined. Let's Encrypt, which is the public face of the Internet Security Research Group, said it has been using the name since November 2014.

"We’ve forged relationships with millions of websites and users under the name Let’s Encrypt, furthering our mission to make encryption free, easy, and accessible to everyone," Josh Aas, ISRG executive director, wrote. "We’ve also worked hard to build our unique identity within the community and to make that identity a reliable indicator of quality. We take it very seriously when we see the potential for our users to be confused, or worse, the potential for a third party to damage the trust our users have placed in us by intentionally creating such confusion."

Read 5 remaining paragraphs | Comments