On Wed, Aug 24, 2016 at 6:08 AM, Gervase Markham wrote:
> Dear m.d.s.policy,
>
> Several incidents have come to our attention involving the CA "WoSign".
> Mozilla is considering what action it should take in response to these
> incidents. This email sets out our understanding of
1. All certs are revoked in time, please check our CRL;
2. WoSign logged all SSL cert since July 5th;
3. I know you are Chinese with good English, welcome to join WoSign, we need
good talent like you.
Regards,
Richard
> On 31 Aug 2016, at 01:33, Percy wrote:
>
> We
On 30/08/16 18:45, Percy wrote:
https://crt.sh is down. Maybe someone can check with comodo to see whether they
got DDOSed?
Sorry about that. crt.sh is back up now.
It wasn't a DDOS attack.
Every so often something goes awry with the database replication
(between crt.sh's master database
https://crt.sh is down. Maybe someone can check with comodo to see whether they
got DDOSed?
Here are the Google CT for the possibly mis-issued certs mentioned in this
thread. It would be a lot harder to take down the Google CT.
Possible fake cert for Github
We classified this 33 misissuance certificate into two types: one type is we
think this misissuance certificate is obviously not from the domain owner, we
revoked this type certificates instantly after we know the misissuance
Your statement is contradicted by the fact that the other two
On Monday, August 29, 2016 at 12:08:36 PM UTC-4, mar...@marcan.st wrote:
> On Monday, August 29, 2016 at 5:41:06 PM UTC+9, Gervase Markham wrote:
> > On 29/08/16 05:46, Richard Wang wrote:
> > > For incident 1 - mis-issued certificate with un-validated subdomain,
> > > total 33 certificates. We
If I understand correctly, these 105 certificates are all mis-issued using the
incorrect policies of either (0) website control validation with higher port
numbers, or (1) parent domain-name verification by demonstrating control of a
subdomain.
It is unclear why, given the fact that incorrect
"Some certificates are revoked after getting report from subscriber, but some
still valid, if any subscriber think it must be revoked and replaced new one,
please contact us in the system, thanks"
WoSign seems to lack the basic understanding of how a certificate is used in
authentication,
On Monday, August 29, 2016 at 10:26:20 AM UTC-7, Gervase Markham wrote:
> On 29/08/16 09:48, 蓝小灰 wrote:
> > Of course I have private key of this certificate
>
> I have asked 蓝小灰 for cryptographic proof of this.
>
> Gerv
Gerv, I've notified the security team in Alibaba about this possible fake
On 29/08/16 09:48, 蓝小灰 wrote:
> Of course I have private key of this certificate
I have asked 蓝小灰 for cryptographic proof of this.
Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
6 4:05 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Incidents involving the CA WoSign
>
> The news about possible sanction against WoSign was reported by Solidot
> http://www.solidot.org/story?sid=49448
> (the Chinese version of Slashdot). Out of 12 com
Not vulnerabilities mentioned in this thread, but a Human-Audit weak process.
Detail you can see the reply content i send to Mr.Wang
在 2016年8月27日星期六 UTC+8上午4:24:44,Jonathan Rudenberg:
> Here’s the crt.sh link for this certificate: https://crt.sh/?id=29884704
>
> Can you provide more details
OK, revoke all at tomorrow morning since our time is 22:22 now.
The cloudapp.net is revoked at the issuance time.
Thanks.
Regards,
Richard
> On 29 Aug 2016, at 21:53, Patrick Figel wrote:
>
> Richard,
>
> the problem with this approach is that the *subscriber* might not
Richard,
the problem with this approach is that the *subscriber* might not be
authorized to make this decision for the parent domain. To go back to
the GitHub case, the "owner" of a github.io subdomain telling you that
they are authorized to own a certificate that covers github.io is
irrelevant,
As I explained, we use same script using API, different parameter point to
different API post URL for different CA, no any PKI hosting related.
Regards,
Richard
> On 29 Aug 2016, at 16:25, Gervase Markham wrote:
>
>> On 24/08/16 17:44, Peter Bowen wrote:
>> I think you are
Sure, all issued cert is passed the domain control validations.
Regards,
Richard
> On 29 Aug 2016, at 16:30, Gervase Markham wrote:
>
>> On 25/08/16 04:38, Richard Wang wrote:
>> R: NOT this case you think. Due to root inclusion problem, WoSign
>> root is cross signed by
Yes, we plan to revoke all after getting confirmation from subscriber. We are
doing this.
Regards,
Richard
> On 29 Aug 2016, at 16:38, Gervase Markham wrote:
>
>> On 29/08/16 05:46, Richard Wang wrote:
>> For incident 1 - mis-issued certificate with un-validated subdomain,
On 26/08/16 06:12, 233sec Team wrote:
> https://gist.github.com/xiaohuilam/8589f2dfaac435bae4bf8dfe0984f69e
>
> Alicdn.com is the cdn asset domain name of Taobao/tmall who belong to
> alibaba, which are Chinese biggest online shopping websites.
> With the fake cert's middle man attack, password
On 26/08/16 04:33, Richard Wang wrote:
> As I admitted that this discussion gives us a big lesson that we know
> when we need to report incident to all browsers. We guarantee we will
> do it better.
Richard,
You have been involved in this (Mozilla) discussion group and in the CAB
Forum for
On Thursday, August 25, 2016 at 12:14:10 AM UTC-7, Richard Wang wrote:
> We can post all 2015 issued SSL certificate to CT log server if necessary.
Is there any reason not to do that proactively?
R: OK, we will post all 2015 issued SSL certificates to CT log server, but this
take time since we
I checked our system that this is a standard order in our system that passes
the website control validation.
We issued more than 300K certificates for worldwide customers including many
famous company.
For Aliyun, it's our reseller partner, see this news:
Here’s the crt.sh link for this certificate: https://crt.sh/?id=29884704
Can you provide more details about where this certificate came from? Did you
issue it using one of the vulnerabilities discussed in this thread?
> On Aug 26, 2016, at 01:12, 233sec Team wrote:
>
>
Wosign's Issue mechanism is high risking for large enterprise.
This is one prove:
https://gist.github.com/xiaohuilam/8589f2dfaac435bae4bf8dfe0984f69e
Alicdn.com is the cdn asset domain name of Taobao/tmall who belong to alibaba,
which are Chinese biggest online shopping websites.
With the fake
-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of percyal...@gmail.com
Sent: Friday, August 26, 2016 4:05 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
The news about possible sanction against WoSign was reported by Solidot
In most Chinese institutions, most checks and verifications are just formality.
Contracting to the case of CNNIC CA, I'm not advocating for an outright removal
of WoSign (even though I revoked the CA personally). But the incorrect
notBefore date suggests that a mandatory inclusion of CT of all
The news about possible sanction against WoSign was reported by Solidot
http://www.solidot.org/story?sid=49448
(the Chinese version of Slashdot). Out of 12 comments in total (at the time of
writing), 8 of them call for revocation of WoSign, the rest talks about the
general bad security
+richard=wosign@lists.mozilla.org] On
Behalf Of Ryan Sleevi
Sent: Friday, August 26, 2016 8:16 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
On Thursday, August 25, 2016 at 4:35:39 PM UTC-7, Matt Palmer wrote:
> I'm after the specif
On Thu, Aug 25, 2016 at 05:15:58PM -0700, Ryan Sleevi wrote:
> On Thursday, August 25, 2016 at 4:35:39 PM UTC-7, Matt Palmer wrote:
> > I'm after the specifics of the changes to WoSign's policies and procedures
> > regarding *notification*, not quality control. What were WoSign's previous
> >
On Thu, Aug 25, 2016 at 07:11:18AM +, Richard Wang wrote:
> We can post all 2015 issued SSL certificate to CT log server if necessary.
That doesn't provide any assurance, in the face of misleading notBefore
values in certificates. Without strong assurances that whatever failure of
systems or
On Thursday, August 25, 2016 at 12:14:10 AM UTC-7, Richard Wang wrote:
> We can post all 2015 issued SSL certificate to CT log server if necessary.
Is there any reason not to do that proactively?
> For BR auditor, I think this issue is too technical that fewer auditor can
> find out this
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Matt Palmer
Sent: Thursday, August 25, 2016 2:48 PM
To: dev-security-policy@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
On Thu, Aug 25, 2016 at 04:03:04AM +, Richard Wang wrote
On Thu, Aug 25, 2016 at 04:03:04AM +, Richard Wang wrote:
> For transparency, WoSign announced full transparency for all SSL
> certificate from July 5th that post all issued SSL certificate to Google
> log server, browsers can distrust WoSign issued SSL certificate after that
> day if no SCT
=wosign@lists.mozilla.org] On
Behalf Of s...@gmx.ch
Sent: Thursday, August 25, 2016 8:18 AM
To: dev-security-policy@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
Of course, adding the affected certs to OneCRL should be done immediately.
WoSign also has to be transparent about
e Markham <g...@mozilla.org>
Cc: Richard Wang <rich...@wosign.com>;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: Incidents involving the CA WoSign
Also, I think the biggest concern is the mis issuance issues were not reported
to Mozilla but were reported to Google. A fai
.mozilla.org; Richard Wang
<rich...@wosign.com>
Subject: RE: Incidents involving the CA WoSign
That's true. I think WoSign should chime in and provide clarity about what
happened. There's far too many innocent explanations to start crying foul.
However, the fact a researcher was able to obt
.mozilla.org; Richard Wang <rich...@wosign.com>
Subject: Re: Incidents involving the CA WoSign
On Wed, Aug 24, 2016 at 9:30 AM, Gervase Markham <g...@mozilla.org> wrote:
> On 24/08/16 17:12, Jeremy Rowley wrote:
>> On incident 2, it sounds like they are both using the same
>&g
<rich...@wosign.com>
Subject: Re: Incidents involving the CA WoSign
For the thread's reference, here's the crt.sh link for the misissued GitHub
certificate:
https://crt.sh/?id=29647048
Valid for 3 years, for github.com<http://github.com>. It's not in OneCRL,
CRLset, or Microsoft's
Of course, adding the affected certs to OneCRL should be done immediately.
WoSign also has to be transparent about all (mis) issued certs in the
past and have to provide this info in the future.
If they can't, I think we may consider if the current certs that are
valid for 3 years should be
On Wed, Aug 24, 2016 at 12:40 PM, Jeremy Rowley
wrote:
> However, the fact a researcher was able to obtain a cert without proper domain
> validation is pretty serious. I'd like to hear more details about how this was
> accomplished. Ports 8080 and 8443 aren't that
zilla-dev-security-pol...@lists.mozilla.org
Subject: RE: Incidents involving the CA WoSign
That's true. I think WoSign should chime in and provide clarity about what
happened. There's far too many innocent explanations to start crying foul.
However, the fact a researcher was able to obtain a c
t;g...@mozilla.org>
Cc: Jeremy Rowley <jeremy.row...@digicert.com>;
mozilla-dev-security-pol...@lists.mozilla.org; Richard Wang
<rich...@wosign.com>
Subject: Re: Incidents involving the CA WoSign
On Wed, Aug 24, 2016 at 9:30 AM, Gervase Markham <g...@mozilla.org> wrote:
>
Hi Jeremy,
On 24/08/16 17:12, Jeremy Rowley wrote:
> On incident 0, its unclear whether a cert was actually mis-issued.
> Although they used a higher level port, did the researcher
> successfully bypass WoSign's domain validation process? Is the only
> concern that WoSign permitted higher level
Gerv,
On incident 0, its unclear whether a cert was actually mis-issued. Although
they used a higher level port, did the researcher successfully bypass WoSign's
domain validation process? Is the only concern that WoSign permitted higher
level ports?
On incident 1, I agree this was a bad
201 - 243 of 243 matches
Mail list logo