Mozilla announced it will remove Chinese certificate authority WoSign from its list of trusted certificate issuers...
for one year following an investigation into "unacceptable" behavior by the CA.
Mozilla detailed 14 different issues arising from WoSign's activities since the start of 2015, including improperly issuing backdated SHA-1 certificates to avoid blocks on using the deprecated algorithm, lack of qualified audits and violations of the CA/Browser Forum industry group's Baseline Requirements. WoSign also apparently purchased another trusted certificate authority, Israel-based StartCom, last year, but violated Mozilla's CA Certificate Maintenance Policy by not disclosing the change in ownership until this month.
"Mozilla's CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA," Mozilla wrote in the report of its investigation into WoSign. "Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands."
Craig Young, computer security researcher at Tripwire's Vulnerability and Exposures Research Team, told SearchSecurity that Mozilla made the right call to remove WoSign as a trusted CA. "Mozilla has also outlined multiple ways in which WoSign's domain ownership verification processes have been flawed and these issues were not satisfactorily remediated by the CA," Young said. "This is a tremendously dangerous example because it could in fact lead to real world attacks which subvert the SSL ecosystem. Making sure that only sufficiently authorized individuals are able to obtain trusted certificates for a particular web property is probably the most fundamental responsibility for a CA."
"The certificate system is based on trust, and without it, the system could collapse," Ryan Linn, director of advanced threats and countermeasures and director of security North America at Nuix, a cybersecurity firm based in Sydney, Australia, told SearchSecurity. "The lock icon on the browser indicates that the certificate for a website is trusted and that the issuer of that certificate has done due diligence to make sure that the site is legitimate. While the speculation is that this certificate authority lied about when certificates were created, how do we know we can trust that they are doing other things they say they are?"
"The public key infrastructure used to secure encrypted web traffic is heavily dependent on the expectation that trusted certificate authorities can in fact be trusted," Young said. "Mozilla has lodged some serious accusations against WoSign indicating that they in fact cannot be trusted. Mozilla has released extensive research which indicates that numerous certificates were issued by WoSign in violation of the ban on SHA-1. The use of SHA-1 makes it more likely that an attacker could forge a fake certificate that would still be trusted by browsers."
Although purchasing another trusted certificate authority "is by no means illegal, Mozilla's program requirements say that a change of CA ownership must be disclosed," Mozilla wrote. "In this case, that was not done -- and in fact, the change was directly denied a few months after it happened."
WoSign's lack of forthrightness about its acquisition of StartCom at the end of 2015 became a major issue, as Mozilla reported there was "technical evidence that around a month and a half after the acquisition, StartCom issuances switched to using WoSign's infrastructure -- either the same instance of it, or their own instance." WoSign announced the acquisition in a press release earlier this month.
The Mozilla plan for the sanctions on WoSign and StartCom is to "distrust only newly-issued certificates and reduce the impact on web users, as both of these CA brands have substantial outstanding certificate corpuses."
"Most users won't see any impact," Linn said. "Mozilla isn't invalidating all of the CAs certificates either, they are only invalidating newly issued certificates with weak encryption from this one CA. The big impact will be for companies that purchased certificates with backdated 'notBefore' field. Those companies will have to have certificates reissued or else they risk warnings in the browser that their site is not secure."
Mozilla plans to distrust the CAs for a minimum of one year, after which the CAs could be readmitted to the Mozilla trust program if they meet a set of conditions: a "Point-in-Time Readiness Audit" and a full code security audit of their infrastructure, both to be submitted by auditors agreed to by Mozilla; 100% embedded certificate transparency for all issued certificates; and successful completion of the normal process.
The report also noted that since that date is chosen by the issuing CA, it would be possible for WoSign or StartCom to backdate certificates in order to evade the restriction -- something that WoSign had done in the past.
"However, many eyes are on the Web PKI and if such additional backdating is discovered (by any means), Mozilla will immediately and permanently revoke trust in all WoSign and StartCom roots," the report warned.
Mozilla will also no longer accept audits carried out by WoSign's auditors, Ernst & Young (Hong Kong), because they "failed to detect multiple issues they should have detected."
Yet to be determined is the amount of lead time necessary before Mozilla acts to remove WoSign from its trust program, as well as whether WoSign and StartCom will be allowed to reapply for the program using the same roots.
Find out more about how public key pinning can help reduce lack of trust in certificate authorities.
Learn about how to stop forged certificates from trusted vendors.
Read about what happened when Google, Mozilla and Microsoft revoked unauthorized TLS certificates from a Chinese certificate authority.