Yikes. If all of that is true, surely Google will permanently ban WoSign from Chrome? And I would hope Mozilla and Microsoft, too, but Google is usually the one to "play tough" with rogue CAs (and I hope they will strive to develop and maintain that reputation).
> Yikes. If all of that is true, surely Google will permanently ban WoSign from Chrome? And I would hope Mozilla and Microsoft, too, but Google is usually the one to "play tough" with rogue CAs (and I hope they will strive to develop and maintain that reputation).
This will most likely happen, because a) the CA is not a western CA and b) it was due to incompetence.
If they had been competent but intentionally and willfully broken the trust of the CA system, assuming they had enough money, they would keep their CA cert. Case in point: TrustWave still has their CA certificate after intentionally selling sub-CAs for the purpose of MITM! But don't worry, they promised they'll never to it again, honest.
Wosign is not in the list of default CAs on the Mac, according to Keychain, so if you are using Chrome on a Mac, since Chrome only uses the system's root certs, you should be safe as long as you don't go add that root cert into Keychain. Wosign is in Firefox however, so Mozilla needs to do something about this.
You can add code to fail validation if this specific intermediate certificate is in the trust chain, but there's no way to ban intermediate certificates with the X.509 trust model without removing the root from the CA store.
Firefox/Chrome already do some extra validation to ban SHA1 certs issued past a specific date, they'd just need to blacklist the fingerprint of the intermediate CA.
Just FYI, since you only quoted one certificate. Both GitHub certificates were mine, not just the one. I created a second account for the second certificate.
WoSign was also caught red-handed backdating certificates to avoid the SHA1 deprecation.
So you can't trust that information either. As mentioned in a different thread, whitelisting certificates extracted from CT logs is the only really viable choice here.
The problem with this approach is that a CA that's been given the death penalty has little to lose, so they might just start backdating certificates. In fact, backdating SHA-1 certificates is one of the incidents they've now reported.
The only way to do this without the risk of backdated certificates being accepted would be to explicitly whitelist all known certificates that were issued prior to the cut-off date. I'm not sure how practical it is to ship such a large list, though (they've issued > 100k certificates in 2015 IIRC).
but you have to code that in every browser and hope people will be able to patch up. a revocation list from parent certificate company nuking the ca is the intended way to deal with trust breach, it should be supported everywhere, and doesn't require a full redeployment of browsers (And sometime entire OSes!) across the world.
Most major (non-embedded, I suppose) OSes have some framework for periodically updating the certificate store. It's not necessarily a full redeployment of the OS.
Mac OS and Windows both are capable of receiving new root certs via the OS update process. Apple says it updates certs approximately once per quarter:
I think there is a pretty strong argument for treating a bad CA like a zero-day vulnerability and "fixing" the problem through a security update that un-trusts the cert. However, to date neither Apple nor Microsoft have been especially aggressive in this regard.
Google has taken a somewhat freer hand towards badly-behaved CAs, but they really only control Android: Chrome uses the OS's trust store, rather than its own (as Firefox does). They could presumably change this, and I'm sometimes unsure why they don't, but I guess it has to do with enterprise-environment interoperability. At some point if Chrome were to become the dominant browser, such that they could dictate terms to enterprise customers rather than the other way around (or if web apps really did take over the world to the point where the keystore outside your browser is essentially irrelevant; cf. Chromebooks), maybe they would reconsider this decision...
While Chrome technically does not have the kind of root program that other OS or browser vendors run, they have the ability to revoke trust for specific roots, plus other things, like enforcing CT for specific CAs. Given that there's already a root program that's being run transparently, there's not that big of an incentive to run yet another root program, IMO. Plus, while I'm extremely happy that Mozilla is running their own root program for various reasons, using existing OS APIs for these things seems like the cleanest approach (if you can't trust your OS to make these decisions, you probably have bigger problems and shouldn't run that OS anyway).
> Possible fake cert for Alibaba, the largest commercial site in China https://crt.sh/?id=29884704
> Possible fake cert for Microsoft https://crt.sh/?id=29805555
Yikes. If all of that is true, surely Google will permanently ban WoSign from Chrome? And I would hope Mozilla and Microsoft, too, but Google is usually the one to "play tough" with rogue CAs (and I hope they will strive to develop and maintain that reputation).