Monday, August 29, 2016

Chinese CA WoSign faces revocation after issuing fake certificates of Github, Microsoft and Alibaba

One of the largest Chinese root certificate authority WoSign issued many fake certificates due to an vulnerability.  WoSign's free certificate service allowed its users to get a certificate for the base domain if they were able to prove control of a subdomain. This means that if you can control a subdomain of a major website, say percy.github.io, you're able to obtain a certificate by WoSign for github.io, taking control over the entire domain.

In deed, this has been seen in the wild in multiple instances as reported in the thread, aggregated here. I've notified related parties about the possible fake certs.

Possible fake cert for Github -- confirmed fake
https://crt.sh/?id=29647048
https://crt.sh/?id=29805567

Update: crt.sh is down after my post. Google's CT log here  https://www.google.com/transparencyreport/https/ct/#domain=github.io&incl_exp=false&incl_sub=false&issuer=lPrsb9Gbn4s%3D


Possible fake cert for Alibaba, the largest commercial site in China  -- confirmed fake
https://crt.sh/?id=29884704

https://www.google.com/transparencyreport/https/ct/#domain=alicdn.com&incl_exp=false&incl_sub=false&issuer=lPrsb9Gbn4s%3D

Possible fake cert for Microsoft
https://crt.sh/?id=29805555

https://www.google.com/transparencyreport/https/ct/#domain=cloudapp.net&incl_exp=false&incl_sub=false&issuer=lPrsb9Gbn4s%3D

What's more shocking is WoSign's behavior after the vulnerability was disclosed to them.
WoSign never reported this misuse to root programs as required. WoSign's audit report didn't include such misuse either.

WoSign completely lacks the security knowledge needed for operating a CA. In the thread discussing potential sanction against WoSign,  WoSign stated that
For incident 1 - mis-issued certificate with un-validated subdomain, total 33 certificates. We have posted to CT log server and listed in crt.sh, here is the URL. Some certificates are revoked after getting report from subscriber, but some still valid, if any subscriber think it must be revoked and replaced new one, please contact us in the system, thanks.   
14 months after the disclosure to WoSign about the vulnerability to obtain fake certificates, WoSign did nothing to address the mis-issued certificate.
WoSign doesn't even seem to understand the security flaw disclosed. WoSign stated "Some certificates are revoked after getting report from subscriber, but some still valid, if any subscriber think it must be revoked and replaced new one, please contact us in the system, thanks"

Let's recall how the attack works. Say, I want to acquire a fake cert issued to Github.io. Github allows me to control the subdomain percy.github.io. I then go to WoSign to demonstrate my control of percy.github.io. WoSign then issue me cert for percy.github.io but also github.io, which allows me to attack the entire github.io domain.

WoSign should have revoked certs issued with this vulnerability immediately.  Instead, 14 months after the disclosure, WoSign's responded that, me, an attacker, should contact WoSign about this mis-issued cert and ask WoSign to revoke it. And this statement was posted in a thread about potential sanctions against WoSign! How WoSign, the largest CA in China can be such lack of security knowledge is beyond comprehension.

I originally didn't advocate for a revocation of WoSign in the thread.
The news about possible sanction against WoSign was reported by Solidot http://www.solidot.org/story?sid=49448 (the Chinese version of Slashdot). Out of 12 comments in total (at the time of writing), 8 of them call for revocation of WoSign, the rest talks about the general bad security practices in China. In most Chinese institutions, most checks and verifications are just formality. Contracting to the case of CNNIC CA, I'm not advocating for an outright removal of WoSign (even though I revoked the CA personally). But the incorrect notBefore date suggests that a mandatory inclusion of CT of all certs ever issued is needed. Of course, WoSign needs to address other issues raised by Matt and Ryan in addition to the CT requirement. 
In light of WoSign's utter ignorance on security knowledge of CA, I call for revocation of WoSign from all root programs and blacklist all intermediate cert operated by WoSign and corss-signed by StarCom immediately.

9 comments:

  1. Both of those github certificates were definitely fake/mis-issued. They were both issued to me after I found the vulnerability. I created a pseudonym account for more testing and to post semi-anonymously on stack exchange (requesting advice on how to report the vulnerability).

    ReplyDelete
    Replies
    1. Is it possible for you to have cryptographic proof of this? For example, sign this message with the private key of the certificate respectively?

      Delete
    2. I tried several times to reply and post, but it keeps deleting my comment.

      Delete
    3. Sorry. It's marked as spam by Google. I've recovered it now

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. I can sign with the schrauger.github.com one, but I don't have the private key to the motorstoiclathe.github.io one anymore. But they were created on the same day, and I control the user account motorstoiclathe at stack exchange (also created that day), and that phrase was a randomly generated 3-word Diceware phrase not found anywhere else, so it should be sufficient to prove that control of one is control of all.

    Here is a message, signed by my github key.

    "
    I, Stephen Schrauger, do hereby declare that I control the private key for the mis-issued certificate listed at 'https://crt.sh/?id=29647048'.
    "

    And here is the signature, created with the private key using `openssl dgst -sha256 ...` then converted to base64.

    "
    SXY0ZKYbIBccjSLPieD2b6NvDWS4iMiwiYcfkg+Y5ZuVfy1xZgBhTGLkRQBIPRpMdfOFmEdp4Z20
    Rm2nUrKKgO8bbwm1Blfdoh2ey+cwh9d5vFcYyK6rXZaHtwPBrxLmTyoNIMnTNrL3Jwn8xV1IcST3
    nuqt6H56xcQtNfOxScYdE4L33CQe/G5CxnVb3zwxJUFH35iXkHkf3hBdHZnBJg7HmLeXGpfsJGlO
    TMEPJb71yIce/W3JgxxwsgaB153avP0O4D8tPEu5vzJFXt60O9+AxyRMQJdNo02L8cWINUlAQM/I
    1S6zDrTXf2yj4zEKSnHR+lzo+5xWyZVgqo0vHw==
    "

    Of course, this only proves that this current commenter is the owner, not the grandparent of this comment, since I'm replying using my name and website with no verification. But I also declare that was my comment claiming that both certificates were mis-issued. Just be careful of future comments.

    In fact, the site owner could have messed with any part outside of my signed message. Don't trust him! He's likely to make you look silly by editing your comment to end it with your tongue sticking out! :-P

    ReplyDelete
  4. I do use this CA for some personal sub-domains.
    This is shocking. I'm a developer myself and can say that to leave such a bug in issuing system of CA trusted by all major browsers (read: mission critical !) is outright inexcusable.
    In the past, CAs had their root certs revoked because they were hacked (eg. DigiNotar). For WoSign, you don't even need to hack the CA to get fake certs !
    And what's worse, they don't even bother to revoke the fake certs they've issued !
    This CA should be revoked immediately or at the very least limited to chinese domains only.

    ReplyDelete
  5. There is a lot to learn about verbatim transcription. For starters, you will be pleased to note that with this kind of transcribing service, every single utterance that is made in the audio file will be transcribed. See more Verbatim Transcription

    ReplyDelete
  6. Our native-speaking Chinese translators can work at the level of English that our customers require so you can be sure you'll get the best quality Chinese translation from us. Mandarin linguists

    ReplyDelete