Certificate Authority Gave Out Certs For GitHub To Someone Who Just Had A GitHub Account

from the oops dept

For many years now, we’ve talked about the many different problems today’s web security system has based on the model of security certificates issued by Certificate Authorities. All you need is a bad Certificate Authority to be trusted and a lot of bad stuff can happen. And it appears we’ve got yet another example.

A message on Mozilla’s security policy mailing list notes that a free certificate authority named WoSign appeared to be doing some pretty bad stuff, including handing out certificates for a base domain if someone merely had control over a subdomain. This was discovered by accident, but then tested on GitHub… and it worked.

In June 2015, an applicant found a problem with WoSign’s free certificate service, which allowed them to get a certificate for the base domain if they were able to prove control of a subdomain.

The reporter proved the problem in two ways. They accidentally discovered it when trying to get a certificate for med.ucf.edu and mistakenly also applied for www.ucf.edu, which was approved. They then confirmed the problem by using their control of theiraccount.github.com/theiraccount.github.io to get a cert for github.com, github.io, and www.github.io.

They reported this to WoSign, giving only the Github certificate as an example. That cert was revoked and the vulnerability was fixed. However recently, they got in touch with Google to note that the ucf.edu cert still had not been revoked almost a year later.

As you can imagine, this should be a cause for quite some concern:

The lack of revocation of the ucf.edu certificate (still unrevoked at time of writing, although it may have been by time of posting) strongly suggests that WoSign either did not or could not search their issuance databases for other occurrences of the same problem. Mozilla considers such a search a basic part of the response to disclosure of a vulnerability which causes misissuance, and expects CAs to keep records detailed enough to make it possible.

Mozilla also noted that WoSign never informed it of the earlier misissuance either. This is a pretty big mistake. The Mozilla post also calls out some questionable activity by WoSign in backdating certificates, but this first point is the really troubling one.

I recognize that until a better system is found, certificate authorities issuing certificates is about all we have right now for web security — but, once again, it really seems like we need to be moving to a better solution.

Filed Under: , , , ,
Companies: github, mozilla, wosign

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Certificate Authority Gave Out Certs For GitHub To Someone Who Just Had A GitHub Account”

Subscribe: RSS Leave a comment
13 Comments
Anonymous Coward says:

Commerical CA

Is one of the biggest fucking scams the world over.

Seriously, you can pay assloads of cash for an EV Cert and for fucking nothing more than a few bits of encryption.

The idea that a 3rd party should be default trusted on any computing platform is the same as pulling your fucking pants down every time a rapist walks by. You are just fucking begging to be rapped! Every commercial CA has spies in them, and for very fucking damn good reasons!

pegr (profile) says:

The root problem

The root problem is having others make our trust decisions for us. Roam through the list of trusted CAs from a default Windows install. There are plenty that are highly questionable CAs(e.g. CAs controlled by a state actor, BS CAs, CAs with a history of doing stupid crap, etc.).

This is all in the name of making a “positive user experience”. No, I can’t explain to my grandmother how to choose what certs to trust and what certs not to. It’s a kludge and always has been.

Ninja (profile) says:

There are talks about making this certificate system based on the blockchain system. It’s a generally good idea where every user in the chain has the same ‘authority’ and blocks can be excluded or added upon agreement. You’d need to compromise over 50 something % of the whole chain to actually get enough power to dictate the rules (correct me if I’m wrong).

Bitcoin has seen some concentration of decision power in the hands of the Chinese where the biggest coin farms reside so this could be a problem. Or not since there is nothing to farm. I’m not really an expert here so I’m only wondering.

In my opinion based on what I know it could be feasible.

Anonymous Coward says:

Re: Re:

there are already some almost-blockchain-type systems for certificates – the Certificate Transparency logs

https://www.certificate-transparency.org/known-logs

the problem is that some Certificate Authorities have such a HUGE number of certificate issued per month (e.g. LetsEncrypt) that they are banned from publishing new data to the logs.

Mason Wheeler (profile) says:

Re: Re:

Bitcoin has seen some concentration of decision power in the hands of the Chinese where the biggest coin farms reside so this could be a problem. Or not since there is nothing to farm.

Nothing to farm? If anything, the incentive is exponentially greater here.

Bitcoin is a fraud-plagued mess of a fringe currency experiment that’s losing more and more prestige with each passing day. But put something of real value on the line, like the security of the fundamental infrastructure of the Internet, and you paint a massive target all over the entire system!

Mike says:

Re: HPKP

The only real solution, is placing the trust to the place your request took it’s first bits: DNS

DNSSEC has a nice feature called DANE, using TLSA records with the hash of your SSL certificate. Browsers can check the integrity of your DNS responses as well as the SSL certificate offered using the same infrastructure!

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...