Certificate Authority Gave Out Certs For GitHub To Someone Who Just Had A GitHub Account
from the oops dept
For many years now, we’ve talked about the many different problems today’s web security system has based on the model of security certificates issued by Certificate Authorities. All you need is a bad Certificate Authority to be trusted and a lot of bad stuff can happen. And it appears we’ve got yet another example.
A message on Mozilla’s security policy mailing list notes that a free certificate authority named WoSign appeared to be doing some pretty bad stuff, including handing out certificates for a base domain if someone merely had control over a subdomain. This was discovered by accident, but then tested on GitHub… and it worked.
In June 2015, an applicant found a problem with WoSign’s free certificate service, which allowed them to get a certificate for the base domain if they were able to prove control of a subdomain.
The reporter proved the problem in two ways. They accidentally discovered it when trying to get a certificate for med.ucf.edu and mistakenly also applied for www.ucf.edu, which was approved. They then confirmed the problem by using their control of theiraccount.github.com/theiraccount.github.io to get a cert for github.com, github.io, and www.github.io.
They reported this to WoSign, giving only the Github certificate as an example. That cert was revoked and the vulnerability was fixed. However recently, they got in touch with Google to note that the ucf.edu cert still had not been revoked almost a year later.
As you can imagine, this should be a cause for quite some concern:
The lack of revocation of the ucf.edu certificate (still unrevoked at time of writing, although it may have been by time of posting) strongly suggests that WoSign either did not or could not search their issuance databases for other occurrences of the same problem. Mozilla considers such a search a basic part of the response to disclosure of a vulnerability which causes misissuance, and expects CAs to keep records detailed enough to make it possible.
Mozilla also noted that WoSign never informed it of the earlier misissuance either. This is a pretty big mistake. The Mozilla post also calls out some questionable activity by WoSign in backdating certificates, but this first point is the really troubling one.
I recognize that until a better system is found, certificate authorities issuing certificates is about all we have right now for web security — but, once again, it really seems like we need to be moving to a better solution.