Accountapprovers, antispam, confirm, emeritus
4,925
edits
Changes
More research on Issue S
==Issue S: Backdated SHA-1 Certs (January 2016)==
WoSign has issued certificates after January 1st 2016 but backdated the notBefore date to be in December 2015. This has the effect of avoiding the blocks in browsers regarding SHA-1 certs issued after January 1st 2016. The number of certs affected is unknown probably 67, but probably at least 60may be a few more or less.
The three certificates below have notBefore dates in Dec 2015, have signatures over SHA-1 hashes and have embedded SCTs which are dated after January 1, 2016.
These are the only certs for which cryptographic proof of backdating is available. However, other strong circumstantial evidence suggests that backdating is more prevalent.
Firstly, note that around 12th May 2016, WoSign started using a new certificate template for some of their SHA-1 issuances. This has a fixed notAfter date of 2016-12-29T16:00:00Z (i.e. midnight on 29th/30th December, CST). This may have been a (sensible) move to prevent accidentally issuing SHA-1 certs which ran into 2017. We have found 939 SHA-1 certificates with this fixed notAfter date, including the above certs three. Certificates issued using this template almost exclusively have notBefore dates on working days in China, suggesting they are issued by explicit WoSign employee action. All of them have notBefores between Monday and Friday, except for 13 on a Saturday and 66 on a Sunday. Of those 66, 4 have notBefores on 2015-09-06, a Sunday which was, unusually, [https://www.thebeijinger.com/blog/2015/05/13/china-announces-special-three-day-september-holiday-mark-70th-anniversary-end-world a working day in China]. The other 62 all have the same notAfter datenotBefores on 2015-12-20, which is was a Sunday, and not exactly 1 year (or any other standard time period) after a working day in China. This suggests that, for these 62, the notBeforedoes not reflect the actual issuance date. And For these 62, the notBefore date is some time between midnight and midnight on December 20th 2015, China time (+0800). (This pattern fits a system where code adjusted the date, but not the time, prior to issuance.) If we look for other certs matching this pattern, we find a total of 62 certificates in crt.sh and other sources. Here are five more examples: [https://crt.sh/?id=30741722 1], [https://crt.sh/?id=30741724 2], [https://crt.sh/?id=30773614 3], [https://crt.sh/?id=30773616 4], [https://crt.sh/?id=30773644 5].
Secondly, the ID of certificates in WoSign's CT log can be used to show the logging sequence of a set of certificates even if they don't have embedded SCTs, because the IDs are sequential. If you order all certs in WoSign's log by ID, up to [https://crt.sh/?q=6d8665951cf6d8743200393a1085e0f6eb226270cc1f1402507d61faae93256a ID 109149], where the notBefore is on December 31st, the notBefore values are (approximately) chronologically ordered. Those which have embedded SCTs have timestamps which are about 2 hours later than the notBefore date. But after that follow 64 certificates which are all dated on December 20, 2015 (CST, UTC+8). This suggests that these were logged at the actual time of issuance but that time is not reflected in their notBefore date - i.e. they were backdated. And it further suggests that this behaviour only began after December 31st 2015, i.e. it was not a continuation of some previous behaviour.
Thirdly, some certificates which are suspected to be backdated were issued at the same time as SHA-256 certificates for the same domain; the timestamps on the SHA-256 certificates are more likely to be the accurate ones. One example is for congfubao.com, where there is a [https://crt.sh/?id=11900532 SHA-256 cert] with a notBefore of 5th January and an SCT timestamp of 5th January, 17 seconds later than the SCT timestamp in the [https://crt.sh/?id=30773528 backdated SHA-1 cert]. The simplest explanation is that both certs were issued together, on January 5th. Other pairs include for ebank.pcnkbank.com ([https://crt.sh/?id=30773634 SHA-1], [https://crt.sh/?id=15425430 SHA-256]) and mail.gd.gov.cn ([https://crt.sh/?id=12356371 SHA-1], [https://crt.sh/?id=12362293 SHA-256]).
Lastly, of the 62 suspect certs, there are three more certs with embedded SCTs where the gap between the notBefore date and the SCT date is multiple days (i.e. they were backdated, and this is cryptographically provable) but where the SCT date is nevertheless (just) before 1st January 2016, which means the backdating does would not have the effect of avoiding browser blocks.
{| class="wikitable"
