==Incident S: Backdated SHA-1 Certs (January 2016)==
WoSign has issued certificates after January 1st 2016 but backdated the notBefore date to be in December 2015. This has the effect of avoiding the blocks in browsers regarding SHA-1 certs issued after January 1st 2016. The number of certs affected is unknown but probably at least 5060.
The three certificates below have notBefore dates in Dec 2015, have signatures over SHA-1 hashes and have embedded SCTs which are dated after January 1, 2016.
|}
Because these SCTs are embedded, they must have been created before the final certificate was signed, and therefore the final certificate must have been signed in January - on or after January 18th, for the third one.
These are the only certs for which cryptographic proof of backdating is available. However, note other strong circumstantial evidence suggests that the above certs all have the same notAfter date, which backdating is not exactly 1 year (or any other standard time period) after the notBefore. And the notBefore date is some time between midnight and midnight on December 20th 2015, China time (+0800). (This pattern fits a system where code adjusted the date, but not the time, prior to issuance.) If we look for other certs matching this pattern, we find a total of 62 certificates in crt.sh and other sources. Here are five more examples: [https://crt.sh/?id=30741722 1], [https://crt.sh/?id=30741724 2], [https://crt.sh/?id=30773614 3], [https://crt.sh/?id=30773616 4], [https://crt.sh/?id=30773644 5]prevalent.
Of those Firstly, note that the above certs all have the same notAfter date, which is not exactly 1 year (or any other standard time period) after the notBefore. And the notBefore date is some time between midnight and midnight on December 20th 2015, China time (+0800). (This pattern fits a system where code adjusted the date, but not the time, prior to issuance.) If we look for other certs matching this pattern, we find a total of 62certificates in crt.sh and other sources. Here are five more examples: [https://crt.sh/?id=30741722 1], [https://crt.sh/?id=30741724 2], [https://crt.sh/?id=30773614 3], [https://crt.sh/?id=30773616 4], [https://crt.sh/?id=30773644 5]. Secondly, the ID of certificates in WoSign's CT log can be used to show the logging sequence of a set of certificates even if they don't have embedded SCTs, because the IDs are sequential. If you order all certs in WoSign's log by ID, up to [https://crt.sh/?q=6d8665951cf6d8743200393a1085e0f6eb226270cc1f1402507d61faae93256a ID 109149], where the notBefore is on December 31st, the notBefore values are (approximately) chronologically ordered. Those which have embedded SCTs have timestamps which are about 2 hours later than the notBefore date. But after that follow 64 certificates which are all dated on December 20, 2015 (CST, UTC+8). This suggests that these were logged at the actual time of issuance but that time is not reflected in their notBefore date - i.e. they were backdated. And it further suggests that this behaviour only began after December 31st 2015, i.e. it was not a continuation of some previous behaviour. Thirdly, some certificates which are suspected to be backdated were issued at the same time as SHA-256 certificates for the same domain; the timestamps on the SHA-256 certificates are more likely to be the accurate ones. One example is for congfubao.com, where there is a [https://crt.sh/?id=11900532 SHA-256 cert] with a notBefore of 5th January and an SCT timestamp of 5th January, 17 seconds later than the SCT timestamp in the [https://crt.sh/?id=30773528 backdated SHA-1 cert]. The simplest explanation is that both certs were issued together, on January 5th. Other pairs include for ebank.pcnkbank.com ([https://crt.sh/?id=30773634 SHA-1], [https://crt.sh/?id=15425430 SHA-256]) and mail.gd.gov.cn ([https://crt.sh/?id=12356371 SHA-1], [https://crt.sh/?id=12362293 SHA-256]). (Thanks to Thijs Alkemade of Computest for the information in the previous two paragraphs.) Lastly, of the 62 suspect certs, are three more certs with embedded SCTs where the gap between the notBefore date and the SCT date is multiple days (i.e. they were backdated) but where the SCT date is nevertheless before 1st January 2016, which means the backdating does not have the effect of avoiding browser blocks.
{| class="wikitable"