from Hacker News

Apple's response to the WoSign incidents

by abritishguy on 10/1/16, 1:00 PM with 38 comments

  • by vtlynch on 10/1/16, 3:06 PM

    Couple notes for people less familiar with the Internet PKI/CA industry:

    1. WoSign (who also owns StartCom) violated all sorts of industry standards. The worst of them was circumventing the SHA-1 deprecation by backdating an SSL certificate.

    2. Now all the root programs (Mozilla, Apple, Microsoft, and Google) need to decide how they will react to this.

    3. Mozilla proposed dis-trusting all new WoSign/StartCom certificates and giving them a chance to re-apply as a trusted CA in a year. This is only their proposed action, and they have not totally committed to it.

    4. Apple has now said they will take similar action to Mozilla. Apple will block a specific intermediate certificate: "WoSign CA Free SSL Certificate G2"

    But they will continue to "trust individual existing certificates" if they had been published to Certificate Transparency logs by September 19th.

    While I have not personally confirmed this, my understanding is that there are other Wosign certificates that are trusted on Apple via cross-signing. So this seems like an incomplete solution - in the sense that some WoSign certificates (mainly the commercial certificates they sell, vs the ones they give away for free) will remain unaffected in anyway.

    (Someone more familiar with the specifics of the Apple root store may be able to provide more clarity here)

    5. Google and Microsoft have not yet committed to any action yet. Google will certainly make a detailed public announcement when they are ready.

    6. Mozilla is meeting with QiHoo (a chinese tech company which owns a majority stake in WoSign). It is expected that Mozilla will make a final decision following this meeting.

  • by TazeTSchnitzel on 10/1/16, 4:03 PM

    Previously on HN, Mozilla's response to WoSign (also a good summary of what they'd done wrong): https://news.ycombinator.com/item?id=12582534

  • by mrweasel on 10/1/16, 3:22 PM

    That should serve as a clear warning to other certificate authorities. Behave or you will be ruined. For most CAs having either Apple, Mozilla, Microsoft or Google remove your root certificate will drive customers away to the point where you might as well close up shop.

  • by l2dy on 10/1/16, 3:05 PM

    I came across this: https://support.apple.com/en-us/HT204132 earlier today.

  • by byuu on 10/1/16, 6:07 PM

    Sorry if this is obvious to others, but just to be clear ...

    As it's widely reported that WoSign has taken over StartCom's infrastructure, this implies that StartCom StartSSL Free certificates going forward won't be trusted by Apple either, correct?

    It also sounds a little strange to only call out the free certificates. Are they going to allow new paid OV/EV (and what they call 'IV') certificates to remain valid?

  • by oneplane on 10/1/16, 2:59 PM

    Seems like a sensible response. I do wonder how they will know what certificates are currently signed by WoSign, as they stated that individual certificates will still be trusted somehow.

  • by fowl2 on 10/2/16, 12:27 AM

    Interesting that Apple's root program is effectively anonymous– sent from a group alias and signed off as a program.

  • by Animats on 10/1/16, 9:53 PM

    The John Ringo approach, from "Citadel". A Chinese supplier cut corners on the gold plating of a contact and caused a major accident. The response:

    "The supplier, Qua Tang Electronics, is blacklisted. Find every person associated, every member of the board, every senior officer, and blacklist any company they are associated with as well. With something like this, and the Chinese, there is no overkill. Be wildly unaimed in your fire. Nuke first, ask questions afterward. Make the pain as widespread as possible."