Accountapprovers, antispam, confirm, emeritus
4,925
edits
Changes
Update with some Mozilla conclusions
</i></blockquote>
This issue is also covered in WoSign's [https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf final incident report]. ===Further Commentsand Conclusion=== WoSign say that they were aware that they were doing this, and that the cause was a delay in implementing the changes from CAB Forum ballot 118. Ballot 118 was passed on 16th October 2014, but WoSign were unable to update their systems until March 5th 2015, nearly five months later. This seems like a surprisingly long delay for a relatively simple change, given how quickly WoSign have been able to update their systems in other cases.
==Issue F: Certs Identical Except For NotBefore (Mar 2015)==
===WoSign Response===
This issue has been raised is covered in WoSign's [https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf final incident report]. They explain that there are 16 examples, and it happens when their Certificate Management System loses contact with WoSigna signing server during a transaction, and so tries the other one, but both signing servers issue a certificate. One was sent to the subscriber, and the other was stored in their records, and we await then logged to CT when they logged all their responsecerts. WoSign has since updated their system to use better locking. ===Further Comments and Conclusions=== Issuing two different certs with the same serial number is a violation of the RFC, but the impact of this bug is minimal.
==Issue H: Duplicate Serial Numbers (Apr 2015)==
We understand that remediation action was taken by WoSign to revoke those certificates in a timely manner. Incident investigation with root cause analysis was conducted and relevant result was documented in relevant incident report. Follow up action was also conducted to prevent the recurrence of the incident.
</i></blockquote>
This issue is also covered in WoSign's [https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf final incident report]. They explain that there were two bugs which led to the same result - one involving a system which did not understand serial numbers with leading zeroes, and the other a race condition.
===Further Comments===
This last auditor statement ("follow up action was also conducted to prevent the recurrence of the incident") is relevant given later issues involving duplicate serial numbers.
It's not clear how "a system bug with the serial number generation, generating a serial number starting with “0” in the first left position" combined with "the signing system had a bug that didn’t know how to deal with this kind of serial number" could lead to duplicate serial numbers. Further clarification has been requested on this point.
This incident is unfortunate and an RFC violation, but it was detected fairly promptly (albeit not by WoSign themselves) and fixed.
==Issue J: Various BR Violations (Apr 2015)==
WoSign resolved this promptly at the time by a mix of changes to practice and changes to [https://www.wosign.com/policy/wosign-policy-1-2-11.pdf their CPS] (new versions 1.2.10 and 1.2.11).
This issue was included in Google's report to Mozilla in August 2016 but not listed in the original public discussion. It has come up This issue is covered in the ensuing discussion in mWoSign's [https://www.dwosign.scom/report/WoSign_Incident_Final_Report_09162016.policy but no additional formal response has been made. It is possible that WoSign's upcoming pdf final incident report will cover this].
===Further Comments===
As Mozilla was not aware of this issue at the time, we were unable to make a judgement on whether these issues rose to an appropriate level of severity to require this response.
There is also the question of whether Mozilla wishes to continue to accept audits from an auditor who misses CPS violations covering such a large proportion of the certificate corpus.
==Issue L: Any Port (Jan - Apr 2015)==
2016-09-04: [https://www.wosign.com/report/wosign_incidents_report_09042016.pdf Official issue report].
This issue is also covered in WoSign's [https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf final incident report]. ===Further Commentsand Conclusions===
It is the responsibility of the CA to disclose issues to its auditors, not for the auditor to discover them. WoSign was aware of this, because some of the issues in this document were disclosed to auditors and included in their report.
The completeness of WoSign's list of 72 certificates was called into question by a discussion participant who testified that [https://crt.sh/?id=30335331 his certificate] was validated using port 8080 but does not appear in WoSign's list. In response, Richard [https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/LVnZBHOGDgAJ said] that in fact their system did not directly record the port used for validation, and so he could not guarantee that the list was complete. However, the final incident report still gives the impression that WoSign was able to generate a complete list. WoSign has since stopped doing website validation; if they had continued, better logging of the process would have been necessary. The logs they were keeping while using this process were clearly inadequate.
==Issue N: Additional Domain Errors (June 2015)==
2016-09-04: [https://www.wosign.com/report/wosign_incidents_report_09042016.pdf Official issue report]. The report explains the two bugs, N1 and N2. WoSign classifies the misissuances as 21 N1 and 12 N2.
This issue is also covered in WoSign's [https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf final incident report].
====Bug N1====
Looking at their list of misissued domains in the report, this really does mean "any domain". For example, a cert where the owner validated "netwi.ru" was able to add "mx.idisk.su", an entirely different domain, without validating it. This effectively bypasses domain validation for any attacker who owns a domain of their own.
===Further Commentsand Conclusions===
* An arbitrary unvalidated ownership domain misissuance bug is an extremely serious flaw. It is not clear whether , particularly if it was possible to do this 's available in the standard a normal workflow or if it required hacking form parameters. Given the number of misissued certs, the former seems more likely.
* The report seems to suggest an "issue first, ask questions later" approach whereby a cert is issued to the subscriber even if it is flagged as questionable, and the remediation mechanism is revocation rather than lack of issuance. Furthermore, their validation team works 9-5, so an applicant could have many hours to abuse a misissued certificate before it was discovered.
* The certificate involved here were all clearly misissued; even if the person could have proved control of the parent domain, they did not do so during the process. Therefore, failure to revoke these certificates immediately (as WoSign argued it didn't need to during the public discussion) constitutes a further BR violation, as per Section 4.9.1.1 of the [https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.3.8.pdf BRs], in particular, item 4 and item 9.
WoSign has since stopped doing website control validation entirely. However, that does not decrease the seriousness of the bug/feature. It also raises the question of how such a feature could make it through review, testing and QA.
==Issue P: Use of SM2 Algorithm (Nov 2015)==
Richard Wang: "This is another case that we will include it in our report. We issued two test cert using SM2 algorithm that used the same serial number as the RSA cert (same subject) to test if we can setup a gateway that install this two type cert, it can shake hand automatically using different cert based on the browser algorithm support." (Unable to find this message in the groups.google.com archive.)
This issue is also covered in WoSign's [https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf final incident report].
===Further Comments===
There are plenty of ways of testing this scenario without using public roots- and, in fact, WoSign has updated their systems to avoid issuing test certificates from public roots in future. We note that Symantec was penalised in late 2015 for issuing non-BR-compliant test certificates in their publicly-trusted certificate hierarchies. Their problems were first revealed in September, and one big discussion of these problems happened in m.d.s.policy starting on 13th October 2015. All of these dates are prior to WoSign's test certificate misissuances.
==Issue R: Purchase of StartCom (Nov 2015)==
Richard Wang [https://groups.google.com/d/msg/mozilla.dev.security.policy/0pqpLJ_lCJQ/7lyHB15LDwAJ writes]: "An announcement and disclosure will be made shortly pending completion of the business transaction. We can provide the proof documents to Mozilla to show this transaction is not finished if Mozilla think it is necessary."
On 2016-09-19, WoSign issued a [https://www.wosign.com/english/News/WoSign_completed_equity_investment_to_StartCom_CA.htm press release] saying that they have "made an equity investment" in StartCom CA.
===Further Comments and Conclusion===
Mozilla has confirmed with a Hebrew-speaking lawyer that, as far as the Israeli company authorities are concerned, the transaction which completed the chain to give WoSign 100% ownership of StartCom completed on November 1st 2015. We maintain that this is the date at which the ownership change should have been disclosed to Mozilla.
In addition, WoSign's press release about their "equity investment" seems to be economical with the truth; WoSign owns 100% of StartCom. The statement that "WoSign and StartCom [are] two companies operate[d] and managed independently" is hard to square with the fact that the same person is sole director of StartCom and CEO of WoSign. Also, there is technical evidence that StartCom are now using a large part of WoSign's issuance infrastructure.
==Issue S: Backdated SHA-1 Certs (January 2016)==
===WoSign Response===
This issue has been raised with is covered in WoSign's [https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf final incident report]. Of the 64 certificates they consider, WoSign attribute 6 to a dual-issuance bug, 9 they say are not problematic because they were issued on December 31st 2015, 2 are the mis-issued certs relating to Issue V, and the other 47 are "normal SHA-1 orders". ===Further Comments and Conclusion=== Mozilla is seeking further information on the details in WoSign's report and we await their responsewill make further comment at a later date.
==Issue T: alicdn.com Misissuance (June 2016)==
A certificate has been issued in June 2016 to alicdn.com which, it is claimed, was not requested by the owner of that domain. However, it has not yet been possible to confirm that this cert has been misissued because the owner of the private key has not been located. The domains in question currently use certificates from Symantec.
* [https://gist.github.com/xiaohuilam/8589f2dfaac435bae4bf8dfe0984f69e Cert on Github Gist]
===WoSign Response===
This issue has been raised with is covered in WoSign's [https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf final incident report]. WoSign, who are investigating assert that they completed the issue with Alibaba (owner domain control checks correctly. ===Further Comments and Conclusion=== The owners of the alicdn.com have confirmed directly to Mozilla that this incident was caused by an attacker being able to control content on their domain in question). This issuance used We would have some concerns with how WoSign's systems validated website control validation. However, which they no longer support this method. This "misissuance" was possible only because alicdn.com was, for some period of time, controlled by an attacker. Therefore, no blame can be attributed to WoSign has since stopped doing. We await their fuller responsefor the misissuance itself.
==Issue V: StartEncrypt (July 2016)==
===WoSign Response===
2016-09-04: [https://www.wosign.com/report/wosign_incidents_report_09042016.pdf Official issue report]. This issue is also covered in WoSign's [https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf final incident report].
===Further Comments===
* This issue does not paint a picture of careful software development practices and quality assurance - having unused code around capable of issuing BR-violating certificates does not seem like responsible practice.
* WoSign assert that the fact that the cert was SHA-1 was a "SHA-1 parameter request" - i.e. the SHA-1-ness was caused by the requester. However, as we understand it, the request was the same as a request which produced a SHA-256 certificate from StartCom, except for the change of the API parameter. Therefore, the SHA-1-ness was WoSign's responsibility, not part of the request.
* The question of why StartCom was able to trigger certificate-issuance code which WoSign has stopped developing and maintaining is also still open.
==Cross Signing==
It is important background information to know which WoSign roots are cross-signed by other trusted or previously-trusted roots. The following unexpired and unrevoked cross-signatures are currently known:
{| class="wikitable"
!Target
