A foundational element of the Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate system is that browser vendors need to trust the certificate authorities that issue certificates.
For China-based CA WoSign, that trust has been lost and, as a result, hundreds of thousands of sites could have trouble in 2017 as Google, Microsoft and Mozilla will not recognize certificates issued by WoSign or its affiliate StartCom.
Security experts eWEEK contacted said CA’s breach of trust is serious and that they support the browser vendors’ moves to distrust WoSign. Users should also heed warnings from browser vendors regarding untrusted sites.
Reasons for Certificate Revocation
The revocation of trust in WoSign has been debated since at least August 2016, when it was revealed that WoSign issued an SSL/TLS certificate for GitHub without its authorization. Mozilla conducted an extensive investigation of WoSign documenting at least 14 different security issues.
“The investigation concluded that WoSign knowingly and intentionally mis-issued certificates in order to circumvent browser restrictions and CA requirements,” Andrew Whalley from the Google Chrome Security team wrote in a blog post.
Google’s Chrome 56 browser will no longer trust certificates that were issued by either WoSign or StartCom issued after Oct. 21, 2016.
“Due to a number of technical limitations and concerns, Google Chrome is unable to trust all pre-existing certificates while ensuring our users are sufficiently protected from further mis-issuance,” Whalley wrote. “As a result of these changes, customers of WoSign and StartCom may find their certificates no longer work in Chrome 56.”
Mozilla revealed on Oct. 24 that it, too, would not trust WoSign and StartCom certificates issued after Oct. 21. Apple announced that it would no longer trust WoSign and StartCom certificates on Sept. 30.
Thousands of Websites Affected
The impact of the removal of trust of WoSign and StartCom is non-trivial. Security vendor RiskIQ estimates that approximately 762,649 websites use SSL/TLS certificates issued by either WoSign or StartCom.
“I absolutely think that browsers are justified in these actions,” James Pleger, director of threat and security research at RiskIQ, told eWEEK. “This is an egregious breach of trust, and browser vendors must respond severely to it.”
Much of the web, in its current form, is built on this trust, and when companies do not adhere to trust guidelines, swift action needs to be taken, he added.
Tom Kellermann, CEO of Strategic Cyber Ventures, applauds the browser vendors for attempting to civilize cyber-space through this collective action. “I do feel that they are justified as these certificates are being exploited and manipulated by cyber-adversaries for malicious purposes,” Kellermann told eWEEK.
WoSign and StartCom won’t be the first Certificate Authorities to be blocked by the browser vendors. In 2011, Dutch CA DigiNotar was found to have issued fraudulent SSL certificates as well, and was eventually blocked and distrusted by the major browser vendors.
At the time, DigiNotar was found to have issued a fraudulent SSL certificate for Google.com. The wildcard certificate could have enabled an attacker to spoof any HTTPS secured Google domain. After an investigation, DigiNotar found that an intrusion into its CA infrastructure resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com.
“Vendors are correct to block the CA,” Georgia Weidman, founder and CTO of Shevirah, told eWEEK. “The browser vendors dragged their feet on blocking DigiNotar and that allowed the hack to proliferate further and faster than it should have.”
By distrusting WoSign and StartCom, browser users that visit sites that use SSL/TLS issued by the two CAs will get a warning window identifying that the site security isn’t trusted. A user could still choose to click through to a site as well as to add an exception for a given site.
“Users should be very careful when creating security exceptions if the browser throws a certificate warning,” Scott Petry, CEO and founder of Authentic8, told eWEEK. “If you don’t know what it means, don’t click. The tradeoff may be as simple as no access to the site versus compromised access to the site.”
Petry added that the browser vendors’ response is necessary to signal to the CAs that their practices won’t work. The CAs can choose to fix the underlying practices when issuing certs or be blocked, he said.
Shane Macaulay, director of cloud security at IOActive, said a somewhat more aggressive approach to trust should be adopted by users when it comes to trusting CAs. Every pre-installed top-level trusted CA should be disabled by default, Macaulay said, adding that in such a model, the SSL/TLS libraries in a browser should present a pop-up “permission to use this CA” when you first see the use of a certificate.
“Users should be more aware and selective about the CAs they have enabled,” Macaulay told eWEEK. “But providers don’t make it easy to start with a secure device. For instance, if I disable the majority of CA’s and then move to a new phone, they are all enabled again. “
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.