Certificate Authority Gave Out Certs For GitHub To Someone Who Just Had A GitHub Account

from the oops dept

For many years now, we've talked about the many different problems today's web security system has based on the model of security certificates issued by Certificate Authorities. All you need is a bad Certificate Authority to be trusted and a lot of bad stuff can happen. And it appears we've got yet another example.

A message on Mozilla's security policy mailing list notes that a free certificate authority named WoSign appeared to be doing some pretty bad stuff, including handing out certificates for a base domain if someone merely had control over a subdomain. This was discovered by accident, but then tested on GitHub... and it worked.
In June 2015, an applicant found a problem with WoSign's free certificate service, which allowed them to get a certificate for the base domain if they were able to prove control of a subdomain.

The reporter proved the problem in two ways. They accidentally discovered it when trying to get a certificate for med.ucf.edu and mistakenly also applied for www.ucf.edu, which was approved. They then confirmed the problem by using their control of theiraccount.github.com/theiraccount.github.io to get a cert for github.com, github.io, and www.github.io.

They reported this to WoSign, giving only the Github certificate as an example. That cert was revoked and the vulnerability was fixed. However recently, they got in touch with Google to note that the ucf.edu cert still had not been revoked almost a year later.
As you can imagine, this should be a cause for quite some concern:
The lack of revocation of the ucf.edu certificate (still unrevoked at time of writing, although it may have been by time of posting) strongly suggests that WoSign either did not or could not search their issuance databases for other occurrences of the same problem. Mozilla considers such a search a basic part of the response to disclosure of a vulnerability which causes misissuance, and expects CAs to keep records detailed enough to make it possible.
Mozilla also noted that WoSign never informed it of the earlier misissuance either. This is a pretty big mistake. The Mozilla post also calls out some questionable activity by WoSign in backdating certificates, but this first point is the really troubling one.

I recognize that until a better system is found, certificate authorities issuing certificates is about all we have right now for web security -- but, once again, it really seems like we need to be moving to a better solution.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 26 Aug 2016 @ 6:38am

    Commerical CA

    Is one of the biggest fucking scams the world over.

    Seriously, you can pay assloads of cash for an EV Cert and for fucking nothing more than a few bits of encryption.

    The idea that a 3rd party should be default trusted on any computing platform is the same as pulling your fucking pants down every time a rapist walks by. You are just fucking begging to be rapped! Every commercial CA has spies in them, and for very fucking damn good reasons!

    reply to this | link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 26 Aug 2016 @ 7:12am

    Wow, what a bunch of gits!

    reply to this | link to this | view in chronology ]

  • identicon
    bob, 26 Aug 2016 @ 7:45am

    Perfect solution right here.

    Trust everyone, everytime. After all people can't post stuff to the internet that isn't true.

    reply to this | link to this | view in chronology ]

  • identicon
    pegr, 26 Aug 2016 @ 8:00am

    The root problem

    The root problem is having others make our trust decisions for us. Roam through the list of trusted CAs from a default Windows install. There are plenty that are highly questionable CAs(e.g. CAs controlled by a state actor, BS CAs, CAs with a history of doing stupid crap, etc.).

    This is all in the name of making a "positive user experience". No, I can't explain to my grandmother how to choose what certs to trust and what certs not to. It's a kludge and always has been.

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 26 Aug 2016 @ 8:25am

    There are talks about making this certificate system based on the blockchain system. It's a generally good idea where every user in the chain has the same 'authority' and blocks can be excluded or added upon agreement. You'd need to compromise over 50 something % of the whole chain to actually get enough power to dictate the rules (correct me if I'm wrong).

    Bitcoin has seen some concentration of decision power in the hands of the Chinese where the biggest coin farms reside so this could be a problem. Or not since there is nothing to farm. I'm not really an expert here so I'm only wondering.

    In my opinion based on what I know it could be feasible.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Aug 2016 @ 9:25am

      Re:

      there are already some almost-blockchain-type systems for certificates - the Certificate Transparency logs

      https://www.certificate-transparency.org/known-logs

      the problem is that some Certificate Authorities have such a HUGE number of certificate issued per month (e.g. LetsEncrypt) that they are banned from publishing new data to the logs.

      reply to this | link to this | view in chronology ]

    • icon
      Mason Wheeler (profile), 26 Aug 2016 @ 11:01am

      Re:

      Bitcoin has seen some concentration of decision power in the hands of the Chinese where the biggest coin farms reside so this could be a problem. Or not since there is nothing to farm.

      Nothing to farm? If anything, the incentive is exponentially greater here.

      Bitcoin is a fraud-plagued mess of a fringe currency experiment that's losing more and more prestige with each passing day. But put something of real value on the line, like the security of the fundamental infrastructure of the Internet, and you paint a massive target all over the entire system!

      reply to this | link to this | view in chronology ]

    • identicon
      Kollawa, 27 Aug 2016 @ 2:28pm

      Re: blockchain based certs

      That's a terrible idea. Certs don't require community decision making of ownership but that the actual owner gets identified. That is why single party CAs are trusted. It is moving the risk from one party to another. What you are proposing almost guarantees that the risk is exponentially higher.

      reply to this | link to this | view in chronology ]

  • identicon
    Rodrigo Fernandes, 27 Aug 2016 @ 3:12pm

    HPKP is the current solution for this problem.
    You can sign your certificates with your own crt and do not need to fully relly on your CA. You always have the last part of the key.

    reply to this | link to this | view in chronology ]

    • identicon
      Mike, 30 Aug 2016 @ 7:47am

      Re: HPKP

      The only real solution, is placing the trust to the place your request took it's first bits: DNS

      DNSSEC has a nice feature called DANE, using TLSA records with the hash of your SSL certificate. Browsers can check the integrity of your DNS responses as well as the SSL certificate offered using the same infrastructure!

      reply to this | link to this | view in chronology ]

      • identicon
        Ricky, 30 Aug 2016 @ 10:30pm

        Re: Re: HPKP

        DANE, LOL That was killed off by the powers that be at a certain company. DANE doesn't exist anymore. I think I would know.

        reply to this | link to this | view in chronology ]

    • identicon
      inde, 4 Sep 2016 @ 8:55pm

      Re:

      Exactly this. I can't believe people are actually blabbering on about fscking blockchain-based approaches, having no idea what they're talking about, when HPKP is the only real solution we have.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.