Certificate Authority Gave Out Certs For GitHub To Someone Who Just Had A GitHub Account
from the oops dept
For many years now, we’ve talked about the many different problems today’s web security system has based on the model of security certificates issued by Certificate Authorities. All you need is a bad Certificate Authority to be trusted and a lot of bad stuff can happen. And it appears we’ve got yet another example.
A message on Mozilla’s security policy mailing list notes that a free certificate authority named WoSign appeared to be doing some pretty bad stuff, including handing out certificates for a base domain if someone merely had control over a subdomain. This was discovered by accident, but then tested on GitHub… and it worked.
In June 2015, an applicant found a problem with WoSign’s free certificate service, which allowed them to get a certificate for the base domain if they were able to prove control of a subdomain.
The reporter proved the problem in two ways. They accidentally discovered it when trying to get a certificate for med.ucf.edu and mistakenly also applied for www.ucf.edu, which was approved. They then confirmed the problem by using their control of theiraccount.github.com/theiraccount.github.io to get a cert for github.com, github.io, and www.github.io.
They reported this to WoSign, giving only the Github certificate as an example. That cert was revoked and the vulnerability was fixed. However recently, they got in touch with Google to note that the ucf.edu cert still had not been revoked almost a year later.
As you can imagine, this should be a cause for quite some concern:
The lack of revocation of the ucf.edu certificate (still unrevoked at time of writing, although it may have been by time of posting) strongly suggests that WoSign either did not or could not search their issuance databases for other occurrences of the same problem. Mozilla considers such a search a basic part of the response to disclosure of a vulnerability which causes misissuance, and expects CAs to keep records detailed enough to make it possible.
Mozilla also noted that WoSign never informed it of the earlier misissuance either. This is a pretty big mistake. The Mozilla post also calls out some questionable activity by WoSign in backdating certificates, but this first point is the really troubling one.
I recognize that until a better system is found, certificate authorities issuing certificates is about all we have right now for web security — but, once again, it really seems like we need to be moving to a better solution.
Filed Under: certificate authority, https, security, ssl, subdomains
Companies: github, mozilla, wosign
Comments on “Certificate Authority Gave Out Certs For GitHub To Someone Who Just Had A GitHub Account”
Commerical CA
Is one of the biggest fucking scams the world over.
Seriously, you can pay assloads of cash for an EV Cert and for fucking nothing more than a few bits of encryption.
The idea that a 3rd party should be default trusted on any computing platform is the same as pulling your fucking pants down every time a rapist walks by. You are just fucking begging to be rapped! Every commercial CA has spies in them, and for very fucking damn good reasons!
Wow, what a bunch of gits!
Perfect solution right here.
Trust everyone, everytime. After all people can’t post stuff to the internet that isn’t true.
Re: Perfect solution right here.
I read it on the internet, so it MUST be true.
The root problem
The root problem is having others make our trust decisions for us. Roam through the list of trusted CAs from a default Windows install. There are plenty that are highly questionable CAs(e.g. CAs controlled by a state actor, BS CAs, CAs with a history of doing stupid crap, etc.).
This is all in the name of making a “positive user experience”. No, I can’t explain to my grandmother how to choose what certs to trust and what certs not to. It’s a kludge and always has been.
There are talks about making this certificate system based on the blockchain system. It’s a generally good idea where every user in the chain has the same ‘authority’ and blocks can be excluded or added upon agreement. You’d need to compromise over 50 something % of the whole chain to actually get enough power to dictate the rules (correct me if I’m wrong).
Bitcoin has seen some concentration of decision power in the hands of the Chinese where the biggest coin farms reside so this could be a problem. Or not since there is nothing to farm. I’m not really an expert here so I’m only wondering.
In my opinion based on what I know it could be feasible.
Re: Re:
there are already some almost-blockchain-type systems for certificates – the Certificate Transparency logs
https://www.certificate-transparency.org/known-logs
the problem is that some Certificate Authorities have such a HUGE number of certificate issued per month (e.g. LetsEncrypt) that they are banned from publishing new data to the logs.
Re: Re:
Nothing to farm? If anything, the incentive is exponentially greater here.
Bitcoin is a fraud-plagued mess of a fringe currency experiment that’s losing more and more prestige with each passing day. But put something of real value on the line, like the security of the fundamental infrastructure of the Internet, and you paint a massive target all over the entire system!
Re: blockchain based certs
That’s a terrible idea. Certs don’t require community decision making of ownership but that the actual owner gets identified. That is why single party CAs are trusted. It is moving the risk from one party to another. What you are proposing almost guarantees that the risk is exponentially higher.
HPKP is the current solution for this problem.
You can sign your certificates with your own crt and do not need to fully relly on your CA. You always have the last part of the key.
Re: HPKP
The only real solution, is placing the trust to the place your request took it’s first bits: DNS
DNSSEC has a nice feature called DANE, using TLSA records with the hash of your SSL certificate. Browsers can check the integrity of your DNS responses as well as the SSL certificate offered using the same infrastructure!
Re: Re: HPKP
DANE, LOL That was killed off by the powers that be at a certain company. DANE doesn’t exist anymore. I think I would know.
Re: Re:
Exactly this. I can’t believe people are actually blabbering on about fscking blockchain-based approaches, having no idea what they’re talking about, when HPKP is the only real solution we have.