Mozilla to China's WoSign: We'll kill Firefox trust in you after mis-issued GitHub certs

Mozilla has proposed to stop trusting new digital certificates from Chinese certificate authority WoSign for one year.

firefox-tor.jpg

Mozilla's proposed ban on WoSign/StartCom newly-issued certificates is for a one-year period.

Image: ZDNet/Mozilla

Firefox maker Mozilla plans to distrust new digital certificates from WoSign, the Chinese certificate authority (CA) that issued bogus HTTPS certificates for GitHub.

Mozilla has also proposed ousting Israel-based CA StartCom, which WoSign acquired in November 2015 but of which it has, for some reason, denied ownership.

"Mozilla's CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA. Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands," Mozilla said in a report published on Monday.

The proposed ban on both CAs' newly-issued certificates is for a one-year period. After that they must reapply to join Mozilla's trust program. Mozilla has also denied WoSign's request for it maintain trusted for newly-issued certificates in China.

To minimize impact on web users, Mozilla will continue trusting existing certificates since "both of these CA brands have substantial outstanding certificate corpuses".

Mozilla's investigation followed a controversy over WoSign mis-issuing a certificate for a subdomain of the hugely popular code repository GitHub.

That act is considered a major security risk because an attacker could have used that certificate to impersonate GitHub's website and spy on users' communications. This failure occurred after Dutch CA DigiNotar was breached, resulting in bogus certificates for Google domains that were used to eavesdrop on Iranian citizens.

However, Mozilla's report focuses on WoSign "intentionally back-dating certificates to avoid blocks on SHA-1 issuance in browsers, having qualified audits and/or being caught violating the CAB Forum Baseline Requirements".

Back-dating certificates would undermine one of the key measures browser makers have for ensuring trust on the internet. All browser makers have agreed to deprecate certificates signed with the SHA-1 hash algorithm and move to the stronger SHA-256.

SHA-1 is considered vulnerable to cryptographic collisions that would allow an attacker to forge a signature.

Microsoft stopped using the address bar lock icon for these SHA-1 signed certificates in Edge and Internet Explorer with the recent Windows 10 Anniversary Update. In February next year Microsoft will be blocking these certificates in both browsers.

CAs were also supposed to have stopped issuing new SHA-1 certificates from January 1, 2016, but Mozilla said it discovered 62 WoSign SHA-1 certificates that were back-dated to appear as if they were issued in December 2015.

The other reason for distrusting WoSign is because it allegedly breached Mozilla's requirement that a change in ownership of a CA needs to be disclosed. Mozilla says that WoSign "directly denied" the change shortly after the acquisition, said to have occurred on November 1, 2015.

WoSign recently described its relationship with StartCom as a "100 percent equity investment" in StartCom, suggesting the two companies operate independently. However, Mozilla said it found evidence that shortly after the acquisition, "StartCom issuances switched to using WoSign's infrastructure".

If Mozilla follows through with the proposal, WoSign will need to undergo a security audit of its issuing infrastructure from an auditor selected by Mozilla. It will also need to implement Google's Certificate Transparency framework.

Mozilla said it will no longer accept audits from WoSign's auditor, the Hong Kong unit of Ernst & Young, which it said had failed to detect multiple issues.

MORE ON MOZILLA AND BROWSERS

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All