Re: Incidents involving the CA WoSign

On Wed, Aug 24, 2016 at 6:08 AM, Gervase Markham wrote: > Dear m.d.s.policy, > > Several incidents have come to our attention involving the CA "WoSign". > Mozilla is considering what action it should take in response to these > incidents. This email sets out our understanding of

Re: formal reply RE: Incidents involving the CA WoSign

1. All certs are revoked in time, please check our CRL; 2. WoSign logged all SSL cert since July 5th; 3. I know you are Chinese with good English, welcome to join WoSign, we need good talent like you. Regards, Richard > On 31 Aug 2016, at 01:33, Percy wrote: > > We

Re: Incidents involving the CA WoSign

On 30/08/16 18:45, Percy wrote: https://crt.sh is down. Maybe someone can check with comodo to see whether they got DDOSed? Sorry about that. crt.sh is back up now. It wasn't a DDOS attack. Every so often something goes awry with the database replication (between crt.sh's master database

Re: Incidents involving the CA WoSign

https://crt.sh is down. Maybe someone can check with comodo to see whether they got DDOSed? Here are the Google CT for the possibly mis-issued certs mentioned in this thread. It would be a lot harder to take down the Google CT. Possible fake cert for Github

Re: formal reply RE: Incidents involving the CA WoSign

We classified this 33 misissuance certificate into two types: one type is we think this misissuance certificate is obviously not from the domain owner, we revoked this type certificates instantly after we know the misissuance Your statement is contradicted by the fact that the other two

Re: Incidents involving the CA WoSign

On Monday, August 29, 2016 at 12:08:36 PM UTC-4, mar...@marcan.st wrote: > On Monday, August 29, 2016 at 5:41:06 PM UTC+9, Gervase Markham wrote: > > On 29/08/16 05:46, Richard Wang wrote: > > > For incident 1 - mis-issued certificate with un-validated subdomain, > > > total 33 certificates. We

Re: Incidents involving the CA WoSign

If I understand correctly, these 105 certificates are all mis-issued using the incorrect policies of either (0) website control validation with higher port numbers, or (1) parent domain-name verification by demonstrating control of a subdomain. It is unclear why, given the fact that incorrect

Re: Incidents involving the CA WoSign

"Some certificates are revoked after getting report from subscriber, but some still valid, if any subscriber think it must be revoked and replaced new one, please contact us in the system, thanks" WoSign seems to lack the basic understanding of how a certificate is used in authentication,

Re: Incidents involving the CA WoSign

On Monday, August 29, 2016 at 10:26:20 AM UTC-7, Gervase Markham wrote: > On 29/08/16 09:48, 蓝小灰 wrote: > > Of course I have private key of this certificate > > I have asked 蓝小灰 for cryptographic proof of this. > > Gerv Gerv, I've notified the security team in Alibaba about this possible fake

Re: Incidents involving the CA WoSign

On 29/08/16 09:48, 蓝小灰 wrote: > Of course I have private key of this certificate I have asked 蓝小灰 for cryptographic proof of this. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Incidents involving the CA WoSign

6 4:05 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Incidents involving the CA WoSign > > The news about possible sanction against WoSign was reported by Solidot > http://www.solidot.org/story?sid=49448 > (the Chinese version of Slashdot). Out of 12 com

Re: Incidents involving the CA WoSign

Not vulnerabilities mentioned in this thread, but a Human-Audit weak process. Detail you can see the reply content i send to Mr.Wang 在 2016年8月27日星期六 UTC+8上午4:24:44，Jonathan Rudenberg： > Here’s the crt.sh link for this certificate: https://crt.sh/?id=29884704 > > Can you provide more details

Re: Incidents involving the CA WoSign

OK, revoke all at tomorrow morning since our time is 22:22 now. The cloudapp.net is revoked at the issuance time. Thanks. Regards, Richard > On 29 Aug 2016, at 21:53, Patrick Figel wrote: > > Richard, > > the problem with this approach is that the *subscriber* might not

Re: Incidents involving the CA WoSign

Richard, the problem with this approach is that the *subscriber* might not be authorized to make this decision for the parent domain. To go back to the GitHub case, the "owner" of a github.io subdomain telling you that they are authorized to own a certificate that covers github.io is irrelevant,

Re: Incidents involving the CA WoSign

As I explained, we use same script using API, different parameter point to different API post URL for different CA, no any PKI hosting related. Regards, Richard > On 29 Aug 2016, at 16:25, Gervase Markham wrote: > >> On 24/08/16 17:44, Peter Bowen wrote: >> I think you are

Re: Incidents involving the CA WoSign

Sure, all issued cert is passed the domain control validations. Regards, Richard > On 29 Aug 2016, at 16:30, Gervase Markham wrote: > >> On 25/08/16 04:38, Richard Wang wrote: >> R: NOT this case you think. Due to root inclusion problem, WoSign >> root is cross signed by

Re: Incidents involving the CA WoSign

Yes, we plan to revoke all after getting confirmation from subscriber. We are doing this. Regards, Richard > On 29 Aug 2016, at 16:38, Gervase Markham wrote: > >> On 29/08/16 05:46, Richard Wang wrote: >> For incident 1 - mis-issued certificate with un-validated subdomain,

Re: Incidents involving the CA WoSign

On 26/08/16 06:12, 233sec Team wrote: > https://gist.github.com/xiaohuilam/8589f2dfaac435bae4bf8dfe0984f69e > > Alicdn.com is the cdn asset domain name of Taobao/tmall who belong to > alibaba, which are Chinese biggest online shopping websites. > With the fake cert's middle man attack, password

Re: Incidents involving the CA WoSign

On 26/08/16 04:33, Richard Wang wrote: > As I admitted that this discussion gives us a big lesson that we know > when we need to report incident to all browsers. We guarantee we will > do it better. Richard, You have been involved in this (Mozilla) discussion group and in the CAB Forum for

RE: Incidents involving the CA WoSign

On Thursday, August 25, 2016 at 12:14:10 AM UTC-7, Richard Wang wrote: > We can post all 2015 issued SSL certificate to CT log server if necessary. Is there any reason not to do that proactively? R: OK, we will post all 2015 issued SSL certificates to CT log server, but this take time since we

Re: Incidents involving the CA WoSign

I checked our system that this is a standard order in our system that passes the website control validation. We issued more than 300K certificates for worldwide customers including many famous company. For Aliyun, it's our reseller partner, see this news:

Re: Incidents involving the CA WoSign

Here’s the crt.sh link for this certificate: https://crt.sh/?id=29884704 Can you provide more details about where this certificate came from? Did you issue it using one of the vulnerabilities discussed in this thread? > On Aug 26, 2016, at 01:12, 233sec Team wrote: > >

Re: Incidents involving the CA WoSign

Wosign's Issue mechanism is high risking for large enterprise. This is one prove: https://gist.github.com/xiaohuilam/8589f2dfaac435bae4bf8dfe0984f69e Alicdn.com is the cdn asset domain name of Taobao/tmall who belong to alibaba, which are Chinese biggest online shopping websites. With the fake

RE: Incidents involving the CA WoSign

-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of percyal...@gmail.com Sent: Friday, August 26, 2016 4:05 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign The news about possible sanction against WoSign was reported by Solidot

Re: Incidents involving the CA WoSign

In most Chinese institutions, most checks and verifications are just formality. Contracting to the case of CNNIC CA, I'm not advocating for an outright removal of WoSign (even though I revoked the CA personally). But the incorrect notBefore date suggests that a mandatory inclusion of CT of all

Re: Incidents involving the CA WoSign

The news about possible sanction against WoSign was reported by Solidot http://www.solidot.org/story?sid=49448 (the Chinese version of Slashdot). Out of 12 comments in total (at the time of writing), 8 of them call for revocation of WoSign, the rest talks about the general bad security

RE: Incidents involving the CA WoSign

+richard=wosign@lists.mozilla.org] On Behalf Of Ryan Sleevi Sent: Friday, August 26, 2016 8:16 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Thursday, August 25, 2016 at 4:35:39 PM UTC-7, Matt Palmer wrote: > I'm after the specif

Re: Incidents involving the CA WoSign

On Thu, Aug 25, 2016 at 05:15:58PM -0700, Ryan Sleevi wrote: > On Thursday, August 25, 2016 at 4:35:39 PM UTC-7, Matt Palmer wrote: > > I'm after the specifics of the changes to WoSign's policies and procedures > > regarding *notification*, not quality control. What were WoSign's previous > >

Re: Incidents involving the CA WoSign

On Thu, Aug 25, 2016 at 07:11:18AM +, Richard Wang wrote: > We can post all 2015 issued SSL certificate to CT log server if necessary. That doesn't provide any assurance, in the face of misleading notBefore values in certificates. Without strong assurances that whatever failure of systems or

Re: Incidents involving the CA WoSign

On Thursday, August 25, 2016 at 12:14:10 AM UTC-7, Richard Wang wrote: > We can post all 2015 issued SSL certificate to CT log server if necessary. Is there any reason not to do that proactively? > For BR auditor, I think this issue is too technical that fewer auditor can > find out this

RE: Incidents involving the CA WoSign

[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Matt Palmer Sent: Thursday, August 25, 2016 2:48 PM To: dev-security-policy@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Thu, Aug 25, 2016 at 04:03:04AM +, Richard Wang wrote

Re: Incidents involving the CA WoSign

On Thu, Aug 25, 2016 at 04:03:04AM +, Richard Wang wrote: > For transparency, WoSign announced full transparency for all SSL > certificate from July 5th that post all issued SSL certificate to Google > log server, browsers can distrust WoSign issued SSL certificate after that > day if no SCT

RE: Incidents involving the CA WoSign

=wosign@lists.mozilla.org] On Behalf Of s...@gmx.ch Sent: Thursday, August 25, 2016 8:18 AM To: dev-security-policy@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Of course, adding the affected certs to OneCRL should be done immediately. WoSign also has to be transparent about

RE: Incidents involving the CA WoSign

e Markham <g...@mozilla.org> Cc: Richard Wang <rich...@wosign.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Incidents involving the CA WoSign Also, I think the biggest concern is the mis issuance issues were not reported to Mozilla but were reported to Google. A fai

RE: Incidents involving the CA WoSign

.mozilla.org; Richard Wang <rich...@wosign.com> Subject: RE: Incidents involving the CA WoSign That's true. I think WoSign should chime in and provide clarity about what happened. There's far too many innocent explanations to start crying foul. However, the fact a researcher was able to obt

RE: Incidents involving the CA WoSign

.mozilla.org; Richard Wang <rich...@wosign.com> Subject: Re: Incidents involving the CA WoSign On Wed, Aug 24, 2016 at 9:30 AM, Gervase Markham <g...@mozilla.org> wrote: > On 24/08/16 17:12, Jeremy Rowley wrote: >> On incident 2, it sounds like they are both using the same >&g

RE: Incidents involving the CA WoSign

<rich...@wosign.com> Subject: Re: Incidents involving the CA WoSign For the thread's reference, here's the crt.sh link for the misissued GitHub certificate: https://crt.sh/?id=29647048 Valid for 3 years, for github.com<http://github.com>. It's not in OneCRL, CRLset, or Microsoft's

Re: Incidents involving the CA WoSign

Of course, adding the affected certs to OneCRL should be done immediately. WoSign also has to be transparent about all (mis) issued certs in the past and have to provide this info in the future. If they can't, I think we may consider if the current certs that are valid for 3 years should be

Re: Incidents involving the CA WoSign

On Wed, Aug 24, 2016 at 12:40 PM, Jeremy Rowley wrote: > However, the fact a researcher was able to obtain a cert without proper domain > validation is pretty serious. I'd like to hear more details about how this was > accomplished. Ports 8080 and 8443 aren't that

RE: Incidents involving the CA WoSign

zilla-dev-security-pol...@lists.mozilla.org Subject: RE: Incidents involving the CA WoSign That's true. I think WoSign should chime in and provide clarity about what happened. There's far too many innocent explanations to start crying foul. However, the fact a researcher was able to obtain a c

RE: Incidents involving the CA WoSign

t;g...@mozilla.org> Cc: Jeremy Rowley <jeremy.row...@digicert.com>; mozilla-dev-security-pol...@lists.mozilla.org; Richard Wang <rich...@wosign.com> Subject: Re: Incidents involving the CA WoSign On Wed, Aug 24, 2016 at 9:30 AM, Gervase Markham <g...@mozilla.org> wrote: >

Re: Incidents involving the CA WoSign

Hi Jeremy, On 24/08/16 17:12, Jeremy Rowley wrote: > On incident 0, its unclear whether a cert was actually mis-issued. > Although they used a higher level port, did the researcher > successfully bypass WoSign's domain validation process? Is the only > concern that WoSign permitted higher level

RE: Incidents involving the CA WoSign

Gerv, On incident 0, its unclear whether a cert was actually mis-issued. Although they used a higher level port, did the researcher successfully bypass WoSign's domain validation process? Is the only concern that WoSign permitted higher level ports? On incident 1, I agree this was a bad

<    1   2   3