Tag Archives: WoSign

Browser Makers Doing What Needs to be Done – Finally

When you log on to a “secure” web site – one that that you access via HTTPS:// instead of HTTP:// , you do that because the web site bought a certificate from a certificate authority.  Those certificates work because the browsers – all of them – “trust” the makers of those certificates.

How do those certificate authorities become trusted?  The certificate authorities apply to each of the browser makers and those browser makers each decide who to trust.

If a browser or more than one browser decides to not trust a certificate authority, then any time a user goes to a web site that uses that vendor’s certificate they will get an error message saying the certificate is not trusted.  Every single time.

What that means is that if any of the major browser vendors don’t trust you, then you cannot sell your certificates.

If you look at any browser or computer, if you know where to look, you can find a list of all of the certificate authorities that the browser or computer trusts.  That used to be a handful of companies, but over time that has mushroomed to a ridiculous number, like 150 or more.  For some reason the browser makes have made it incredibly hard for Joe or Jane user to see what certificates are installed or to delete one of them.

There is a group called the CA/Browser Forum and they set standards for certificate authorities to follow.  The process of disciplining a CA can take years, but recently the CAB Forum started getting tough.

Two Chinese certificate authorities were not following the rules so the CAB Forum scolded them.  Then they didn’t change their actions.  So finally, one by one, the browsers started the process of the death sentence.  This week, the last major browser maker said that come September they are no longer going to trust certificates made by WoSign and StartCom.

Of course smart people would be asking why the <bleep> we were trusting security certificates from China in the first place.

My answer?  Beats me.  I guess they want to be inclusive.

I would appreciate it if they allowed me to make that decision.  But they figure that I am not smart enough to decide whether I want to trust certificates from China.

For a certificate authority, losing the trust of the browser makers is basically a death sentence – which is why they keep giving certificate authorities that screw up another chance.  Personally, I vote for ONE strike and you are out.

On a related front, one of the biggest U.S. certificate authorities, Symantec (formerly Verisign) just sold it’s certificate business to Digicert.

Symantec/Verisign has been in CAB Forum “time out” for a year or two now because of oopsies that they have made, like issuing certificates for Google.Com to someone other than Google and stuff like that.  Symantec has been given several chances to clean up their act but does not appear to be getting it right.  Fearing that they were going to go down the same path that WoSign went down and pour a billion plus dollar investment down the sewer, this week they sold that business for $950 million plus some stock, to Digicert.  This is good for users because Digicert is well respected, unlike Symantec.

So, while certificate authorities have, historically, received the death penalty like never, it appears that the browser makers have had their fill of it and ARE NOT GOING TO TAKE IT ANY MORE!!!

I hope this is the beginning of a trend.  I could do with maybe a dozen trusted certificate authorities.  That would be enough for me.  3 down, one hundred plus to go.

Information for this post came from ZDNet and eWeek.

Facebooktwitterredditlinkedinmailby feather

Yet Another Reason Why HTTPS is a FAIL!

Merchants want you to believe that HTTPS equals secure.  I keep saying that it doesn’t.  Here is another story for my side of the argument.

First, a little background.  If a web site want to support HTTPS (also known as SSL or TLS), they need to have a certificate.  The certificate is used as part of the process of generating an encryption key for each session.  The owner of the web site buys (or gets one for free) a certificate and depending on the type of certificate, the buyer has to prove, more or less, that they own the domain that they want a certificate for.

Why do they have to prove they own the domain?  Because if they didn’t have to prove they own it, anyone who wanted to could buy a certificate and install it and launch a bogus web site that pretends to be Facebook or Amazon or whoever.

Using the standard methods that certificates use, any certificate authority – and there are hundreds of them – can issue a certificate for your web site.  As long as that certificate authority is trusted by your browser, you will have no clue that the web site that you think is owned by Amazon or Google or whoever is not legit.  You will see the padlock and everything.

To make things worse, under these circumstances, an attacker can even create a bogus Google.Com or Amazon.Com, fool your browser into going to that site (using DNS spoofing or other techniques) and you now think you are at the real Google or Amazon.

Under the way things normally work with certificates, any certificate authority anywhere in the world can issue a certificate for your domain.

On some operating systems/browsers, you can disable which of the hundreds of certificate authorities you want to trust.  That doesn’t solve the problem of a hacker imitating your web site and someone believing it, but it does solve the problem of you trusting sites certified by authorities in say China.

Curiously, it is pretty easy to disable, say, a certificate authority in China on Android but it is literally impossible for you to do this on an iPhone.  This is because Apple’s philosophy is that Apple knows best.  For details on how to do this (it is  pretty geeky) on different environments, check the link below.

SO, now what is the new problem.  The problem is that a Chinese certificate authority, WoSign, had a bug in their software that allowed people to get a certificate for a domain, say Google, if they could show that they could control a sub-domain, say mitch.google.com.  A researcher tested this by using this bug to get a certificate for the popular web site GitHub and also for a Florida University.  When they explained the problem to WoSign, they did revoke the certificate to GitHub, but did not revoke the one to the university.  This is leading some people to speculate that they do not know what certificates they issued.

But remember that your browser trusts WoSign, so even though they are issuing bogus security certificates, your browser will trust them.  If  you are not using an iPhone, at least if you are motivated, you can decide that YOU are not going to trust WoSign, but I doubt very many people will go to that trouble.

Remember I said that WoSign revoked the bogus certificate to GitHub.  Well that is nice, but it turns out, for a variety of reasons, certificate revocation doesn’t actually work.  So while that GitHub certificate is revoked in theory, it may still work in practice.

While I don’t have a better answer for HTTPS, I can say with some confidence it is seriously broken.  There are some possibilities like DNSSEC+DANE or certificate pinning, but very few web sites, in the grand scheme of things, have the ability to do this.

Which is why I keep saying that SSL is broken.  We are giving people the delusion that things are secure, when they are not really very secure.

We really ought to do something about this before some hacker comes up with a really creative way to steal a lot of money.

Information for this post came from The Hacker News.

Information on how to remove the trust for certain certificate authorities can be found at CertSimple’s blog.

Facebooktwitterredditlinkedinmailby feather