back to article Mozilla wants woeful WoSign certs off the list

Mozilla wants to kick Chinese certificate authority (CA) WoSign out of its trust program. As well as being worried about the certs issued by WoSign, Mozilla accuses the company of buying another CA, StartCom, without telling anyone. In this lengthy analysis posted to Google Docs, Mozilla says its certificate wonks have "... …

  1. asdf Silver badge

    x.509 broken by design

    How many fingers are in that dyke already?

    1. Warm Braw Silver badge

      Re: x.509 broken by design

      X.509 is not (now) restricted to a hierarchical PKI model, but that's essentially the only way it's ever been deployed since RFC2459 first made it the basis of the "Internet X.509 Public Key Infrastructure Certificate and CRL Profile" in 1999.

      It's a tricky problem working out whether you should trust someone you don't know - it's hard enough working out whether to trust someone you do know - and all the schemes I've seen rely on an introduction through one or more "reputable" third parties (whether they're certificate authorities or mutual acquaintances). All these schemes fall down if the "reputable" party is no such thing. At least in principle you could regulate a commercial indentity-provider and have legal sanctions against them if they were negligent - the biggest problem seems to be that there is no effective regulation of this critical piece of infrastructure and no real interest in there being any.

      1. Doctor Syntax Silver badge

        Re: x.509 broken by design

        "the biggest problem seems to be that there is no effective regulation of this critical piece of infrastructure and no real interest in there being any."

        No real interest except amongst the consumers, but, hey, who cares about them!

        1. Tomato42 Silver badge
          Mushroom

          Re: x.509 broken by design

          > No real interest except amongst the consumers,

          ou contrair! the people that buy them are interested in them being as cheap as possible and if that means few bad apples, so be it

      2. Martin Summers Silver badge

        Re: x.509 broken by design

        "It's a tricky problem working out whether you should trust someone you don't know"

        Where's that people rating site when you need it? :-)

    2. MrDamage

      Re: x.509 broken by design

      > "How many fingers are in that dyke already?"

      Fnar fnar!

  2. jamesb2147

    Judge, jury, and eulogy

    "We require that all CAs whose certificates are distributed with our software products notify us when its policies and business practices change in regards to verification procedures for issuing certificates, when the ownership control of the CA’s certificate(s) changes, or when ownership control of the CA’s operations changes."

    That's a clear violation. Mozilla claims they have evidence in the public record, confirmed by a lawyer, that WoSign 100% owns StartCom and has since November 2015. Reading through the list, Mozilla has been generous in leaving their certs intact thus far.

    More importantly, the lack of audit findings are damning both for WoSign and Ernst & Young (E&Y has a lot more to lose, of course).

    I used StartCom about 10 years ago on my first domain. They offered free, low security SSL certs that became trusted by most browsers, eventually, with clear instructions for creation, installation, and maintenance. Essentially, they did what Let's Encrypt is trying to do now, but on a smaller, more commercial scale.

    RIP StartCom. You were kind to me in a world full of pay services.

  3. oldtaku
    Facepalm

    Tiger Todger Can Fix That

    Ah China. The air's poison, the water's poison, the pet food is poison, the milk is poison, the shirts are poison (and burn), the drywall is poison, the century eggs are poison, the booze is poison, even the CERTS are poison.

    This seems like something only the ground up penis of an endangered species can fix.

    1. Ian Emery Silver badge

      Re: Tiger Todger Can Fix That

      It's strange then, when I go there for a long stay, my extremely rare autoimmune problem gets better; and as soon as I come back to the "clean and green" west, I get bad again.

      But yeah, cheating and cutting corners is endemic in Chinese business; they cant even build a bridge without stealing half the foundation concrete and replacing it with bags of household rubbish.

      1. Version 1.0 Silver badge

        Re: Tiger Todger Can Fix That

        It's strange then, when I go there for a long stay, my extremely rare autoimmune problem gets better; and as soon as I come back to the "clean and green" west, I get bad again.

        Probably pinworms.

  4. Anonymous Coward
    Anonymous Coward

    Get in first

    Get it done now, open firefox>preferences>advanced>certificates and delete the WoSign certs

    1. TonyHoyle

      Re: Get in first

      And the startcom certs, since they're essentially the same company.

      That's likely to have a bigger impact.

    2. Czrly

      Re: Get in first

      Didn't work for me. They just reappeared in the list after I closed the dialogue and clicked "View Certificates..." a second time.

  5. juul

    How decides, whom I trust ?

    I would bee much happier if I could choose which CA's I trust, instead of having Mozilla, Google, Microsoft, Opera etc. do it.

    1. Dan 55 Silver badge

      Re: How decides, whom I trust ?

      You can, it's just very annoying thanks to the UI. Tools > Options > Advanced > Certificates > View Certificates > Authorities > Delete or Distrust. Only it's impossible to sort the list, order by distrusted authorities, etc...

      There must be a better way... an add-on or something.

    2. tin 2

      Re: How decides, whom I trust ?

      You totally can. I wish you luck with researching the backgrounds, ethics and business practices of all those companies on your own. Me I'll probably gratefully let Mozilla carry on doing it.

    3. Ian Thomas

      Re: How decides, whom I trust ?

      Someone has to decide for everyone, because site owners need to know that you'll trust their certificate.

      If you don't trust a CA then what are you personally going to do about it? All you can do is not use sites that use their certificate (which could be a big pain). If Mozilla don't trust a CA, then they basically put them out of business. That threat alone should encourage CA to be reputable.

  6. Alan J. Wylie

    What about the other browsers?

    Unless Google, Apple and Microsoft follow, Mozilla stands to lose market share: users want things that "just work" and if Firefox starts giving error messages, they might move to an alternative.

    Chris Siebenmann's blog

    1. TonyHoyle

      Re: What about the other browsers?

      They probably will, if these allegations are proven.

  7. Anonymous Coward
    Anonymous Coward

    Corruption in random numbers?

    At some point, everyone will understand that anyone selling a SSL cert that is 100% (*) accepted is related to a spook. That is the only way you can get in the game and everyone in the game is already a player.

  8. Alan J. Wylie

    Interesting messages from Tyro

    First, an old announcement about problems with SHA-1:

    http://www.newsagencyblog.com.au/2016/06/02/if-you-are-running-windows-xp/

    and secondly a blog posting, now deleted, but still in Bing's cache: try this link to archive.org or search Bing for the text below

    https://tyro.com/blog/merchant-security-is-tyros-priority/

    Merchant security is Tyro’s priority

    Sascha Hess

    27/09/2016

    To summarise: after a SHA-1 to SHA-2 upgrade, some merchants had obsolete Point of Sale systems that were unable to connect. Tyro "reached out in good faith to certificate authorities to provide a few months runway to resolve this big challenge".

  9. Alan J. Wylie

    Apple's response

    https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/lWJ1zdUJPLI

    In light of these findings, we are taking action to protect users in an upcoming security update. Apple products will no longer trust the WoSign CA Free SSL Certificate G2 intermediate CA.

  10. Alan J. Wylie

    WoSign has stopped issuing free certificates

    https://twitter.com/rmhrisk/status/782838192944713728

    https://buy.wosign.com/free/?lan=en

    Sorry, due to some security consideration,

    WoSign decide to close the free SSL certificate application temporarily. Sept. 29th 2016.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019