Security: backdating of certificates under WoSign CA
Reported by
cot...@computest.nl,
Jul 2 2016
|
||||||||||||||||
Issue descriptionFiling this bug at the request of Ryan Sleevi. Re: the discussion at https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/GWSEO-oooGM , here are some details of our research. We investigated the StartEncrypt client and API soon after the tool was launched, out of curiosity. While testing, we used a private domain with numbered subdomains to keep track of our tests. In test number 9 we encountered the backdated cert, see details below. I've attached the backdated certificate to this bug report. We actually have two of these with the same public key, we repeated this test without increasing the number so the other certificate has the same hostname and public key but a different serial and timestamp. The below report is from the tester in question, Thijs Alkemade: While testing the API I found two interesting parameters in the last request (which sends a CSR and receives back a certificate), namely “caID” and “template”. Varying the “caID” gave certificates issued by different intermediates and for a specific template we received this backdated certificate (though sadly we don’t remember the exact value used). Initially these certificates appeared to not be trusted, so I assumed they were test-certificates and didn't investigate them further, only after the disclosure I found that “Certification Authority of WoSign” is cross-signed by StartCom and through that trusted almost everywhere. When we realised that these certificates were trusted we tried to get a new one with cryptographic proof that it was backdated, however, that part of the API appears to have been disabled. If you want we can also send you the certificates we obtained before and after this one (so one for startssl8.s.xnyhps.nl dated 2016-06-23 and one for startssl10.s.xnyhps.nl dated 2016-06-29).
,
Jul 2 2016
,
Jul 3 2016
I don't see a Chrome bug here, though. What am I missing?
,
Jul 3 2016
There is no Chrome bug here; Ryan Sleevi asked me to report these findings here anyway. I'm assuming there is use for this information within the team.
,
Jul 4 2016
Do you need to keep 9.pem confidential, or can I WontFix this bug and make it public?
,
Jul 4 2016
It needs to remain private for now, hence the embargo.
,
Jul 4 2016
Right, awhalley is on it palmer :) Hence the SecurityEmbargo tag.
,
Jul 4 2016
rsleevi: OK. In the future, let's not use the Chrome bug tracker for things that are not Chrome bugs. Changing the labels to get it out of the security triage queue.
,
Jul 4 2016
Chris: In the past, we've encouraged reports of CA misissuance to be securely directed through our bug tracker, especially when it likely requires mitigating steps in the client to protect Chrome users. I don't believe we want to change that policy, but if we do, we can take that discussion offline, but it offers more privacy/security than our security@ alias. This is a security risk to our users, per our bug reporting guidelines, and we want to continue to encourage full disclosure of details privately (under embargo), even when not appropriate to be shared publicly.
,
Jul 4 2016
Ryan, I don't have a strong preference for the way in which we communicate - PGP mail is fine by me as well, although this tracker offers a cleaner history. From my perspective I don't see who has access to the info, but I trust you guys with that. What I'm more interested in is what direction you plan to take this in, can you shed some light on that perhaps?
,
Jul 4 2016
We're now in communication with the CA, who has confirmed that this certificate was issued during the timeframe communicated, which is a serious failing on multiple fronts. As far as what further steps may or will be taken, unfortunately, I can't share that until it's finalized, but this does represent a serious breach of trust on multiple fronts.
,
Jul 6 2016
You mentioned you attempted to obtain StartEncrypt certificates from StartCom - did those also show backdating and/or SHA-1? Would it be possible to request all of the test-certificates you issued so that we can examine if any further violations existed?
,
Jul 7 2016
Attached is a ZIP with all the certs that we saved. No other certs were backdated or were using SHA-1; this was purely with that combination of caID and template. We tried to reproduce shortly after disclosure (when we found out the wosign cert was actually valid by cross-signing and we noticed the backdating), but the API had been changed and we couldn't reproduce it. We increased the number a couple of times without receiving a certificate to ensure no rate limiting was affecting the results. The names starting with "hash-" were our attempts at reproducing the results after the initial disclosure when we realized the backdated certificate was valid. We tried to get cryptographic proof that the certificates are backdated, but the functionality was already disabled then.
,
Jul 7 2016
Thanks! In related news, in response to your disclosure, both StartCom and WoSign have publicly committed to 100% Certificate Transparency - http://www.wosign.com/english/News/2016_wosign_CT.htm and https://www.startssl.com/NewsDetails?date=20160323 - That's tracked in Issue 626338 and Issue 626401 We're still finalizing data gathering about how to best protect Chrome users in response to the SHA-1 issuance.
,
Aug 24 2016
Hi guys, Mozilla has revived the discussion at https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg03665.html We normally don't disclose issues publicly like this, and we're interested to see what effects our disclosure had (positive and negative). Could you update us on what is happening on the Chrome security side?
,
Aug 24 2016
Your disclosure is significantly appreciated. Your findings - which, due to a bug in the Mozilla listserve weren't widely noticed - have raised significant concern for a number of root store operators when they were made aware of it. Yours was not the only report we received about WoSign either, as detailed in Mozilla's report noting people choosing to report, as you have, through here to the Chrome team (and we greatly appreciate it). Unfortunately, for a variety of reasons we can't discuss what we're considering to how to respond to this. I'm going to close this as WontFix not because we're not planning on fixing this in general, but because we don't believe there's further specific steps to take here for this incident, having alerted other root stores and having worked with WoSign to ensure the immediate issue was resolved. The longer discussion - what actions are appropriate to take and how best to protect our users. While WoSign has requested to voluntarily have Certificate Transparency policies enforced for all of their certificates, we're still weighing whether that is the appropriate step for our users and their security, given all things. If you should ever turn your gaze back onto the CA system, please feel free to file as many bugs as reasonable, and we'd greatly appreciate it. We are happy to coordinate disclosure to other affected root programs, as well as coordinate remediation, since there is often a dissonance between what CAs believe is necessary, and what is actually required upon them by root stores. Leaving R-V-SE in place, although if you're comfortable with 9.pem being shared widely, we can remove that, and it'll eventually become public as the bug is auto derestricted.
,
Aug 25 2016
Thanks for the update and for taking the issue as seriously as you have. We're okay with removing the embargo and derestricting the issue.
,
Aug 25 2016
,
Aug 25 2016
,
Nov 30 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||
Comment 1 by cot...@computest.nl
, Jul 2 2016