It’s been a little over a month since our previous update about StartCom and WoSign and the events that started with our StartEncrypt disclosure, so it’s a good time to write about what has happened since then. Additionally, we're announcing Computest Suricat, an online service that helps you become aware of mis-issuances of certificates for your domains. See the bottom of this post for more details.
On September 9th, we gave a talk at the NLNOG meeting about our disclosure of the StartEncrypt vulnerabilities and weaknesses in domain validation in general.
On September 26th, Mozilla published a document with further research, including further proof that WoSign backdated 62 SHA-1 certificates. They even found two StartCom certificates which appear to have been backdated in the same way.
In the conclusion Mozilla proposed to distrust both WoSign and StartCom, starting from a date in the future. To avoid breaking the websites of all current customers of WoSign/StartCom, certificates with a start date before a certain date would still be trusted. They would be allowed to reapply in a year, providing they pass the usual inclusion process and additional auditing done by Mozilla-chosen auditors.
On October 1st, Apple announced that they plan to release a security update which removes trust for certificates from the intermediate “WoSign CA Free SSL Certificate G2”, with a whitelist of certificates which were logged to Certificate Transparency before September 19, 2016. This intermediate only covers the free certificates issued by WoSign, actions against other intermediates or roots from WoSign or StartCom has not yet been announced, but may happen pending further research. This announcement was surprising, as Apple is usually very quiet about their root program.
On October 4th, representatives of StartCom and Qihoo 360 (the parent company of WoSign) met with Mozilla in London to discuss which steps they are taking to improve. On October 7th, WoSign published that plan. They admit that 64 certificates were backdated and that they had not been honest about buying StartCom. Richard Wang, the CEO who authorized the backdating, will be relieved of his duties. Qihoo wants to split WoSign and StartCom back into two separate companies, hoping to reduce the punishment for StartCom, as many of the issues were only reported for WoSign.
On October 13th, Mozilla announced that they will continue with their proposed actions: in the next release of Firefox, certificates from StartCom or WoSign with a start date after October 21st 2016 will not be trusted. WoSign and StartCom may reapply on June 1st 2017, if they pass additional auditing. StartCom may apply earlier if they can pass the auditing and additionally prove that WoSign has no control over them anymore.
It should be clear that for both the investigation and the actions taken in response, Certificate Transparency has been vital, as it allows anyone to obtain the entire set of certificates issued by WoSign. The goal of Certificate Transparency is to have a number of log servers which keep an append-only log of all certificates submitted to them. The contents are signed by a private key held by the log, in a way which allows others to easily check that no certificates have been deleted or retroactively inserted. The logs can’t check if certificates have been incorrectly issued, as only the domain owner can know that, but because everyone can download the contents from the log servers it becomes possible for domain owners to keep an eye on the certificates for their domains. This improves the security of the system, as it increases the chance that a certificate issued for malicious reasons is detected.
Towards solutions: Computest Suricat
We’re proud to announce an online service that helps you monitor abuse of your certificates: Comptuest Suricat, available at https://suricat.io. If you leave your email address and the domain you'd like to monitor there, we'll send you an email when a certificate for that domain is spotted by our CT scraper. Of course this doesn't prevent abuse and is not water tight (not everything is logged to CT and we don't monitor all CT servers), but it is a good first step. And, it's a free and effortless step for you to take!