Monday, August 29, 2016

Chinese CA WoSign faces revocation after issuing fake certificates of Github, Microsoft and Alibaba

One of the largest Chinese root certificate authority WoSign issued many fake certificates due to an vulnerability.  WoSign's free certificate service allowed its users to get a certificate for the base domain if they were able to prove control of a subdomain. This means that if you can control a subdomain of a major website, say, you're able to obtain a certificate by WoSign for, taking control over the entire domain.

In deed, this has been seen in the wild in multiple instances as reported in the thread, aggregated here. I've notified related parties about the possible fake certs.

Possible fake cert for Github -- confirmed fake

Update: is down after my post. Google's CT log here

Possible fake cert for Alibaba, the largest commercial site in China  -- confirmed fake

Possible fake cert for Microsoft

What's more shocking is WoSign's behavior after the vulnerability was disclosed to them.
WoSign never reported this misuse to root programs as required. WoSign's audit report didn't include such misuse either.

WoSign completely lacks the security knowledge needed for operating a CA. In the thread discussing potential sanction against WoSign,  WoSign stated that
For incident 1 - mis-issued certificate with un-validated subdomain, total 33 certificates. We have posted to CT log server and listed in, here is the URL. Some certificates are revoked after getting report from subscriber, but some still valid, if any subscriber think it must be revoked and replaced new one, please contact us in the system, thanks.   
14 months after the disclosure to WoSign about the vulnerability to obtain fake certificates, WoSign did nothing to address the mis-issued certificate.
WoSign doesn't even seem to understand the security flaw disclosed. WoSign stated "Some certificates are revoked after getting report from subscriber, but some still valid, if any subscriber think it must be revoked and replaced new one, please contact us in the system, thanks"

Let's recall how the attack works. Say, I want to acquire a fake cert issued to Github allows me to control the subdomain I then go to WoSign to demonstrate my control of WoSign then issue me cert for but also, which allows me to attack the entire domain.

WoSign should have revoked certs issued with this vulnerability immediately.  Instead, 14 months after the disclosure, WoSign's responded that, me, an attacker, should contact WoSign about this mis-issued cert and ask WoSign to revoke it. And this statement was posted in a thread about potential sanctions against WoSign! How WoSign, the largest CA in China can be such lack of security knowledge is beyond comprehension.

I originally didn't advocate for a revocation of WoSign in the thread.
The news about possible sanction against WoSign was reported by Solidot (the Chinese version of Slashdot). Out of 12 comments in total (at the time of writing), 8 of them call for revocation of WoSign, the rest talks about the general bad security practices in China. In most Chinese institutions, most checks and verifications are just formality. Contracting to the case of CNNIC CA, I'm not advocating for an outright removal of WoSign (even though I revoked the CA personally). But the incorrect notBefore date suggests that a mandatory inclusion of CT of all certs ever issued is needed. Of course, WoSign needs to address other issues raised by Matt and Ryan in addition to the CT requirement. 
In light of WoSign's utter ignorance on security knowledge of CA, I call for revocation of WoSign from all root programs and blacklist all intermediate cert operated by WoSign and corss-signed by StarCom immediately.