Chinese Hacking

Apple and Others Revoke All Security Certificates from Chinese Provider WoSign

dralnux.com

In recent days, several major tech companies have formally disavowed and discontinued use of a Chinese security certificate provider, WoSign. 

The abandonments began when Mozilla announced that WoSign was not following best practices in issuing its certificates. 

The primary concern lies in the fact that WoSign was back-dating certain website certificates to circumvent checks that prevent expired certs from working. 

After Mozilla’s announcement, Apple quickly also said that they would distrust and ban all WoSign certificates. 

Not long after, Google followed by announcing the search giant would also distrust WoSign and a related firm beginning immediately.
The result of all this action is that the web will be a slightly safer place. 

Invalid security certificates are no joke; it’s essential that all parties involved can trust the validity of a website’s security. 

What is a certificate, though? 

Perhaps while browsing websites in Safari on macOS, you’ve noticed that many sites default to HTTPS instead of HTTP. 

You may already be aware that this is a sign that SSL security is active, encrypting the data exchanged between your computer and the web server.

However, to work properly, SSL requires security certificates. 

Understanding what these are is essential for safe browsing.
Just enabling SSL doesn’t automatically mean you can trust a website. 

That’s why sites using encryption turn to third party Certificate Authorities — like WoSign — to verify their identity. 

This third-party verification is known as a certificate. 

Essentially, this tells your computer that “Yes, this person is who they say they are,” proving you aren’t currently at risk of a “man in the middle” attack. 

Apple, Google, and others keep a database of trustworthy certificate providers. 

If you visit a website with an invalid certificate or no certificate at all over HTTPS, your browser will usually warn you.

Mozilla slaps ban on China's WoSign: Firefox drops trust for certs over 'deception'

Mozilla has now set a date for a ban on all new HTTPS certificates from WoSign, just as Google unveils a major expansion of its Certificate Transparency program.
By Liam Tung,

Firefox-maker Mozilla will ban newly-issued digital certificates from WoSign and StartCom from January.

Starting in January, any website using a new certificate from Qihoo 360-owned certificate authority (CA) WoSign will have troubles reaching Firefox users.
Firefox-maker Mozilla announced on Tuesday it will ban newly-issued digital certificates from WoSign and StartCom, an Israel-based certificate authority that the Chinese firm recently acquired.
The move follows a damning report published by Mozilla last month accusing WoSign of backdating certificates to circumvent an industry-wide effort to phase out HTTPS certificates signed with the outdated SHA-1 algorithm.
CAs, such as WoSign, were not supposed to issue SHA-1 signed certificates after January 1.

WoSign backdated a number of certificates to appear as if they were issued in December, 2015.
Mozilla last month proposed a one-year ban on newly-issued WoSign certificates but hadn't set a date for its introduction. 

The new commitment to follow through with the ban comes despite last-ditch efforts by Qihoo 360 to avert it.
Mozilla has now opted to distrust WoSign and StartCom certificates generated after October 21. 

The action takes effect in Firefox 51, which is due on January 24, 2017.
Mozilla's other gripe with WoSign was the certificate authority's persistent denial of its ownership of StartCom.
"The levels of deception demonstrated by representatives of the combined company have led to Mozilla's decision to distrust future certificates chaining up to the currently-included WoSign and StartCom root certificates," Mozilla's security team wrote.
On realizing the severity of Mozilla's threat, Qihoo 360 offered to fire WoSign's CEO Richard Wang, and appoint Qihoo 360 chief security officer Xiaosheng Tan as chairman of StartCom.
WoSign vowed to use the Google-backed system of Certificate Transparency (CT) to log existing and new certificates. 

Google's CT logs offer an independent source to audit CAs and keep check on them in the event that one goes rogue or is hacked, such as occurred to Dutch CA DigiNotar in 2011.
More recently Google demanded that all Symantec certificates issued after June 1 support CT after it was caught out issuing bogus certificates for Google domains.
WoSign for its part said it had voluntarily posted all SSL (HTTPS) certificates to Google's CT log server on July 5, 2016.
The company would probably have had to do that anyway in coming months with Google this week announcing a major expansion of its CT program.
Google now expects all publicly-trusted website certificates issued after September 2017 to comply with Chrome's CT policy for them to be trusted by Chrome.
"The use of Certificate Transparency has profoundly altered how browsers, site owners, and relying parties are able to detect and respond to misissuance, and importantly, gives new tools to mitigate the damage caused when a CA no longer complies with community expectations and browser programs," said Ryan Sleevi, a Google software engineer.