The organization that develops Firefox has recommended the browser block digital credentials issued by a China-based certificate authority for 12 months after discovering it cut corners that undermine the entire transport layer security system that encrypts and authenticates websites.
The browser-trusted WoSign authority intentionally back-dated certificates it has issued over the past nine months to avoid an industry-mandated ban on the use of the SHA-1 hashing algorithm, Mozilla officials charged in a report published Monday. SHA-1-based signatures were barred at the beginning of the year because of industry consensus they are unacceptably susceptible to cryptographic collision attacks that can create counterfeit credentials. To satisfy customers who experienced difficulty retiring the old hashing function, WoSign continued to use it anyway and concealed the use by dating certificates prior to the first of this year, Mozilla officials said. They also accused WoSign of improperly concealing its acquisition of Israeli certificate authority StartCom, which was used to issue at least one of the improperly issued certificates.
“Taking into account all the issues listed above, Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA,” Monday’s report stated. “Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly issued certificates issued by either of these two CA brands.”
WoSign’s practices came under scrutiny after an IT administrator for the University of Central Florida used the service to obtain a certificate for med.ucf.edu. He soon discovered that he mistakenly got one for www.ucf.edu. To verify that the error wasn’t isolated, the admin then used his control over the github subdomains schrauger.github.com and schrauger.github.io to get certificates for github.com, github.io, and www.github.io. When the admin finally succeeded in alerting WoSign to the improperly issued Github certificates, WoSign still didn’t catch the improperly issued www.ucf.edu certificate and allowed it to remain valid for more than a year. For reasons that aren’t clear, Mozilla’s final report makes no explicit mention the certificates involving the Github or UCF domains, which were documented here in August.
WoSign officials, including CEO Richard Wang, didn’t respond to e-mails seeking comment for this post.
The reprimand comes six years after the hack of Netherlands-based certificate authority DigiNotar allowed attackers to mint counterfeit certificates for Google.com and more than 200 other high-traffic domains. The certificates were used against at least 300,000 people with ties to Iran as they browsed the sites impersonated by the forged certificates. Google and Mozilla permanently banished DigiNotar from Chrome and Firefox respectively after concluding its security was woefully inadequate.
Five months before the August 2011 DigiNotar incident, servers tied to a separate authority, Comodo, were hacked by someone with an Iranian IP address who used the access to forge certificates for Gmail, Yahoo, and five other domains. The breach touched off a frantic effort by browser makers to blacklist the certificates before they could be used to impersonate affected sites. Three months later, StartCom, the authority recently purchased by WoSign without disclosure, suffered a security breach that caused it to temporarily suspend operations but didn’t result in the successful issuance of any counterfeit certificates.
In 2012, largely in response to the attacks, browser makers imposed a strict code of security requirements on CAs through a consortium known as the CA/Browser Forum. In Monday’s report, Mozilla officials said the conduct they cited against WoSign violated several of the baseline requirements CAs are required to follow as a condition for being trusted by major browsers.
Specific conclusions reached in the report include:
- Back-dating SHA-1 certs was a relatively common practice at WoSign, and they have consistently denied doing so. (Issue S, and the evidence given above)
- WoSign built a system where applicants could add extra arbitrary domains to their certificates before issuance. Even when mis-issuances happened they did not determine the root cause and eliminated the flaw only in an unrelated system upgrade. (Issue N)
- WoSign has an “issue first, validate later” process where it is acceptable to detect mis-issued certificates during validation the next working day and revoke them at that point. (Issue N)
- WoSign’s team do not seem to think a misissuance is worth investigating further than simply revoking the certificate. (Issue N)
- WoSign’s approach to their CPS is backwards—instead of following it and changing it first when necessary, they change their practice and then update the documentation when reminded. (Issue J)
- If the experience with their website ownership validation mechanism is anything to go by, It seems doubtful that WoSign keep appropriately detailed and unalterable logs of their issuances. (Issue L)
- The level of understanding of the certificate system by their engineers, and the level of quality control and testing exercised over changes to their systems, leaves a great deal to be desired. It does not seem they have the appropriate cultural practices to develop secure and robust software. (Issue V, Issue L)
- It does not appear that WoSign learns from the experience of other CAs, e.g. Symantec’s test certificate issue, or the SHA-1 exceptions process. (Issue P, Issue S)
- For reasons which still remain unclear, WoSign appeared determined to hide the fact that they had purchased StartCom, actively misleading Mozilla and the public about the situation. (Issue R)
- WoSign’s auditors, Ernst & Young (Hong Kong), have failed to detect multiple issues they should have detected. (Issue J, Issue X)
The issues mentioned in the report come from this much longer list of incidents investigated over the past few weeks by Mozilla officials. The report cited this certificate for payment processor Tyro.com as one example of a backdated certificate allegedly issued by WoSign/StartCom. It wasn’t spotted in the wild until June 8, one day after a previous SHA-1 certificate for the domain expired. The “notBefore” date, however, which CAB Forum requirements say is supposed to roughly match the time a certificate is issued, is listed as December 20, 2015, a date when CAs were still permitted to issue SHA-1 certificates. In all, the report found 62 similarly backdated certificates.
A Google spokesperson said on Monday he was investigating whether Chrome planned to issue similar recommendations against WoSign/StartCom. He hadn’t responded by Tuesday. Last October Google publicly chastised a Symantec-owned certificate business for lapses that involved the improper issuance of extended validation certificates for sites including google.com.
Monday’s report is a reminder that the security of the transport layer security system is only as strong as its least trustworthy or competent certificate authority. There are several hundred authorities trusted by Firefox and other major browsers, and each of them represents a single point of failure that has the potential to take down all, or at least large portions, of the trusted Web as we know it. The fragility clearly isn’t lost on Mozilla, and it shouldn’t be lost on anyone else, either.
Post updated to add the fourth paragraph detailing the Github and UCF domains.