So, can I ask an awkward question? Realistically speaking, is there any chance that a large CA would ever actually be removed from Mozilla's store, no matter how severe their malfeasance?
I started wondering this after they declined to remove StartSSL after the Heartbleed fiasco, and while I sort of understood the reasoning there in isolation, between that incident and this long list of WoSign violations, I'm really getting the sense that CA's are "too big to fail" and that the downsides of suddenly breaking huge parts of the internet on unsuspecting users mean that the threat of removing badly-behaving CA's is an empty one. What would a CA have to do to actually be removed, especially if they were to sign really huge sites?
Now that Certificate Transparency exists, it's possible to take two actions that are almost as serious as removing a CA from the store, but do not break existing websites:
1. Ask for a list of all issued certificates, get signed certificate timestamps (SCTs) for all of them, and require that all certs issued by the CA have working CT. This essentially prevents all further misissuance (or, at least, makes it very public).
2. If the CA is so bad at life that it doesn't know what certificates have been issued, require CT for all new certificates (trusting the self-stated signature date on the certificate), and have a sword hanging over their head if any evidence arises that the CA has backdated any certificates.
Chrome did #2 for Symantec, and then (I believe) moved to #1, and Symantec is definitely a too-big-to-fail CA.
It's slightly better because at that point presumably you've failed auditing standards for many browsers, not just one. We're talking about "you tried to deliberately compromise security and get away with it by deliberately lying to take advantage of the loophole we'd provided you." With proof of that level of malfeasance, especially if it's widespread for new certs, it is plausible that Chrome and Firefox will both remove your certs, with Edge or Safari possibly coming up quickly behind. Presumably all of this would be "we are publicly announcing that we are dropping this CA in a month" to allow graceful switching...
A month's notice to allow for 'graceful switching' of CAs is overly optimistic.
We have some certificates that we have to start the renewal process 2-3 months out, because we have a lot of alternate names of domains we don't (directly) control (white-labelled service).
Thankfully we don't use WoSign for any of our certificates, but if it were say Symantec or someone else that got into trouble? Thirty days isn't enough time.
A thirty day notice that nothing issued after the date, and a 6 month migration period would be more like a graceful exit period. Still a stressful period, but less utter panic inducing.
Yeah, this has always seemed to me like a good idea, and a profit opportunity for the CAs. All the CAs get to spread FUD about each other being blacklisted, and claim that it's best practice to get two certs from different CAs (with different actual root certs, not just different resellers). Even the Let's Encrypt users will keep a fancy wildcard in their back pocket.
If you issue them from the same CSR / key, you can even configure your web server to send both certs in the certificate chain, and most clients will figure out which one they trust without requiring manual intervention by the site operator.
Doubling the cost and difficulty of CA management for a once in a... well.. we haven't yet had a major CA killed in the decades that CAs have been around.
If CAs were being killed every few months then that would be a reasonable thing to do - but not for such a rare occurrence.
Mis-issuance is creating a certificate that is totally reasonable to create, just with the wrong validation. If you have a human step that lets you override the validation check, or if you get the validation logic wrong (e.g. WoSign/StartCom's thing where they allowed high-numbered ports), etc., you end up with a certificate that is otherwise reasonable for you to have created. And there's a lot of code that goes into validation. But there is never any reasonable use for a backdated certificate, and it's a very simple thing to double-check that your code does right.
If you give CAs a pile of requirements and say "Do not do these incorrectly" (which is what browsers do to all CAs), they can always argue that they made an honest mistake and they fixed it. Maybe they shouldn't have that room for argument, but they do. But if you say "Do not backdate certs," you've given them one thing to get right, that is hard to get wrong by mistake. At that point, a backdated cert implies either malice or losing control of the raw private key material, both of which clearly demand revocation.
I know a couple reasons for a backdated cert. Here's one that is easy to explain: backdated clients + emergencies. At least one in a million client devices is backdated by more than three days. It is therefore prudent to wait until a week or more past NotBefore before deploying a cert.
If you need a new certificate in a terrible rush, you can backdate.
Now, that's not what happened here. I would chalk this up to a cultural shift between the Americans and Europeans making the rules at the CA/B forum and the WoSign folks who honestly never imagined they would be expected to comply with rules that couldn't be checked---that a rule would say "don't sign sha-1 after Jan 1" as opposed to "don't sign sha-1 with a NotBefore after Jan 1."
Hm, that's a fair reason. But really what's important here is the fixed CT cutoff date. If you have mandatory CT from October 1 onwards, it seems fine to promise that you'll actually do CT for all certs with a notBefore of September 24 or later, and on October 1, you will stop issuing certs with a notBefore earlier than September 24.
(Of course the complexity now re-introduces some room for "honest" mistakes.)
What's happening at the moment is that Mozilla (and Google) are undertaking fact-finding to figure out how badly WoSign messed up and to explore possible penalties. Removing WoSign, or even actively distrusting the certificate, is certainly on the table. As others have pointed out, there are now more remedies available than merely pulling the CA.
That said, when you read the email thread, it's abundantly clear that WoSign is not saying what they should be saying. The first response document is inadequate (although they're working on a second document in response to the extra incidents): it seems like WoSign is trying to say "we quickly fixed every instance brought up to us!" and they aren't understanding that said answer isn't good enough for such a serious breach of trust. The remedy at this point is likely to be at least as severe as forbidding any certificate with an issuedBefore of soon. Honestly, if you're a sysadmin using a WoSign cert, I would recommend immediately looking into obtaining a cert from another CA as a backup.
DigiNotar wasn't a large CA according to that link: "Although DigiNotar had been a general-purpose CA for several years, they still targeted the market for notaries and other professionals."
Probability has nothing to do with it. Trustwave was excused because what they were doing was not expressly prohibited at the time and other CAs were probably doing the same thing. Trustwave proactively came forward about what they had done. They shouldn't have been the only ones to be distrusted as a result. CAs are not going to be excused for this again, as CNNIC and ANNSI show.
No, it wasn't. That's because the certificates we're talking about were intended to substitute for Google's. They were for enterprise networks, some of them with legal requirements to monitor outgoing traffic (Google Mail in particular is a big problem at regulated financial firms.) The CA=YES certificates were housed in DLP and proxy appliances that ran only on the borders of their own networks.
Enterprises wanted these certificates because the alternative to them is installing additional root certificates on everyone's desktop machines, which is a logistical pain.
I'm not excusing that CA transaction. Issuing CA=YES certificates as a convenience for enterprise security teams is terribly irresponsible, and never should have been allowed.
But, at the the the Trustwave thing happened, it was not expressly black-letter against the rules, and so Trustwave didn't get the CA death penalty for it.
This is getting circular. I'm fully aware of the purpose of these certificates. The discussion was "did Mozilla make the right decision in excusing a CA that essentially decided to create an extra root CA". The result was a rogue google certificate in the wild. I guess browsers don't care that it was only intended for proxying employee traffic, after all.
I certainly think that in the circumstances, no, they did not. The Mozilla CA policy isn't some legally binding document. They are free to change it and still death-penalty whoever was ultimately responsible for these rogue certificates.
I'm not sure what you expect from Mozilla. It would be nice if there was a way to instantaneously kill a CA and ensure all of its issued certificates continued to work, so that a big chunk of the Internet wouldn't suddenly break. If that capability existed, Mozilla or Google could nuke CAs left or right without even checking the Basic Requirements. But it doesn't, and so the process for handling CA inclusion is done by the book.
In this case, the book said "I guess proxy MITM CA=YES certificates are fine, as long as you're careful".
We're getting to the root of the issue after all. Mozilla simply wasn't prepared to nuke a popular CA unless Google and Microsoft joined in to the fun.
Policy was just the excuse. We saw what happened with CNNIC. Coordinated press releases.
I don't know, it seems like, however unprepared anyone is to nuke a popular CA, they're going to be even less prepared if that CA didn't actually violate the policy.
You keep writing as if it's common sense that the policy should say "nobody can issue CA=YES certificates to enterprises". But while I agree strongly that they shouldn't, this is not common sense. The certificates that Trustwave sold were never deployed on the public Internet, and their disclosure outside of whatever giant bank bought them would presumably have been accompanied by massive civil liability.
The policy didn't mention this behavior not because it never occurred to anyone to ban it, but because it was overtly, actively thought to be OK, by pretty much every stakeholder, until browsers started getting better at monitoring certificate issuance.
Really, the simple truth is: you have Google to thank for pretty much every positive shift in norms about SSL/TLS CAs. Until they built the team they have doing this today (which is amazing), certificate issuance was --- not hyperbolically, but actually, factually --- the lawless wild west.†
Do I wish they'd built that team a few years earlier? Yes, of course. I also wish heap and integer overflows were better known in the early 90s. You can't always get what you want.
† The Google team will pointedly add that we should be thanking the Mozilla team for the work they've been doing on keeping a coherent CA policy and trusted root set going all these years; as you can see from this thread, it's a thankless task. I don't agree with all of Mozilla's decisions, but if you throw down in a m.d.s.policy thread about them being incompetent or ineffectual, be prepared to have people who have forgotten more about certificate issuance than you've ever learned give you some pretty vivid comparisons to how other certificate stores have been managed all this time.
No, nothing like that. The browsers had not made it clear to CAs before 2012 that such products were not to be sold. I distinctly remember seeing these sorts of products quite publicly for sale (but in the hundreds-of-thousands-of-dollars range, I think) on CAs' websites in the late '00s.
It was a different time then, and we've gotten better at expecting CAs to be competent. The probability that action will be taken today for the same thing is 1.
IIRC, that happened when it was not totally clear that a CA shouldn't be doing that. That incident made it clear that such a thing was in fact prohibited by Mozilla policy, and the CA in question revoked the cert. If it happens again, I would expect the CA (regardless of size) to be revoked—but at the same time, I would expect the big CAs to know they shouldn't even think of it now, which apparently they didn't know in 2012.
"WONTFIX" is the technical status of the Bugzilla bug, because there wasn't a code change, but it's clear that Mozilla took a policy action:
> I have posted a draft CA Communication in the mozilla.dev.security.policy forum for review/discussion. My intent is to make it clear that this type of behavior will not be tolerated for subCAs chaining to roots in NSS, give all CAs fair warning and a grace period, and state the consequences if such behavior is found after that grace period. There is also an action item for CAs to update their CP/CPS to make it clear that they will not issue subCAs for this purpose.
(That also happened when the browser world was less good at dealing with bad CAs, in general)
It absolutely was a policy misunderstanding in 2012. It is no longer a misunderstanding, since it is now abundantly clear to CAs that they can't do that. It no longer stands.
As far as CA policy goes, 2012 was the very distant past. You might as well accuse Mozilla of poor judgment for allowing MD5 certificates in 2012, it would make as much sense.
The CA did the equivalent of purposefully putting their hand into a garbage disposal unit. You're telling me we should not reconsider them as a root CA because the unit didn't say "don't put your hand into this".
Honestly, I'm not sure how you plan to argue your way around a situation where I ended up with a rogue "mail.google.com" certificate accepted by my browser. That wasn't in the rules?! The CA wasn't clear on the policy for that?
... nobody had clearly explained to you what the specific transaction Trustwave got in trouble for was actually about.
Now you know, so "this will not stand" and "Trustwave stuck its hand in the garbage disposal" shouldn't be germane anymore. Once again: the whole point of those certificates is to sign domains the certificate owner doesn't control. They're sold only to giant corporations with huge amounts of insurance, and they're contractually obligated to ensure they're deployed only on the corporation's own network.
I think Chinese CAs are also special cases. If American browser vendors remove a Chinese CA like WoSign, there is the possibility a fork distribution will replace Mozilla in China by inclusion of these certificates. I think it would take the cooperation of the Big 4 browser/OS vendors to remove a CA, and the Chinese market often responds by creating its own internal distribution.
But Firefox probably could name-constrain WoSign to .cn. Firefox could probably also name-constrain all StartCom-issued certificates after some cut-off-date to .cn or just ban new StartCom-issued certificates entirely.
Reprising a previous comment about this suggestion:
This is one of those ideas that sounds like common sense when you hear or think about it the first time, but falls apart on scrutiny. Ryan Sleevi has done a much better job picking it apart than I can here, but among the numerous problems with it:
* The most important TLDs are transnational, and their trust hierarchies back into corporations (corporations, I will cheerfully and without irony point out, who are subject to the whims of the FVEY IC).
* It's jingoistic, suggesting we should base trust decisions not on technology or even, really, on policy, but rather on nationalism.
* It consigns residents of countries with oppressive governments to total control by their governments, while at the same time making usage constraints based on those TLDs (such as local mandates to use services whose names end in .XX for XX in $bad_countries) much more powerful.
* It further promotes the idea that security should somehow be tied to the DNS, despite the fact that the DNS is itself not transparently managed, and is often managed at odds with the interests of Internet users as a whole.
* By factionalizing Internet trust, it harms interoperability and also makes it harder to introduce further constraints into the certificate system by essentially declaring up front that we're conceding Internet trust policy to individual nations.
* It greatly complicates the security stories of companies that have adopted vanity domain names in random countries, which, whatever you think of those companies (koff! Pinboard), is an unforced error.
Of all the things we can spend time on to improve Internet security, this is not one of the better ones.
> The most important TLDs are transnational, and their trust hierarchies back into corporations (corporations, I will cheerfully and without irony point out, who are subject to the whims of the FVEY IC).
Are they? I always thought that .com, .edu, .net et al. are American. I suppose one could argue that .eu is transnational, although the EU are trying very hard to invent their own postmodern nation.
> It's jingoistic, suggesting we should base trust decisions not on technology or even, really, on policy, but rather on nationalism.
It's not really jingoism, although it might be nationalism. And is it even nationalism, when each nation-state makes its corporate decisions in a manner which is acceptable to the members of said state?
> It consigns residents of countries with oppressive governments to total control by their governments
… which they already are under, so it doesn't make anything worse. And they are, of course, free to revolt, as oppressed peoples have done throughout history, sometimes succeeding and sometimes failing.
> By factionalizing Internet trust
You say factionalising, I say federating. It doesn't make any sense to me for a corporation in Canada to certify the identity of a site in Iran for a resident of Guinea-Bissau, which is the current situation. Federation seems to me to be the only solution capable of scaling to a world of billions.
> It greatly complicates the security stories of companies that have adopted vanity domain names in random countries
I think the unforced error was placing their identities in the hands of foreign states.
And, of course, with domain-level validation, their security is already in the hands of those states.
Does anyone know if it's possible to write a Firefox add-on that could warn you that the site you're connecting to uses one of these less trustworthy or esoteric CAs? I've looked through the APIs, but I don't see any hooks for that kind of info.
EDIT: Now that I think about it, it must be possible, Certificate Patrol is looking at the cert info, I'll see how they do it.
Since I don't browse Chinese websites I just distrusted the WoSign root and used the Red Jacket add-on[0] to distrust their intermediate certs (at least some of which are cross-signed by other trusted CAs).
If someone shady was MITMing your traffic, they could just block access to the API. If you wanted to do the checks before loading each URL, it would make things very slow.
To some extent this would provide a false sense of security, as if the CA misissues a certificate it wouldn't stop it from being used to hijack your session with an iframe.
I'm starting to think that a service such as SSL Labs should also grade CAs (perhaps by looking through Certificate Transparency logs as well, once all CAs have to use them).
Then if you use like a "C-rated" CA, your HTTPS score is also limited to B. A B-rate CA would limit your HTTPS score to A, and only an A-rated CA would allow you to get A+ on SSLabs. Something along those lines.
I imagine rating the CAs would be quite a complex task, but they could start with the big ones first that own 80-90% of the market.
For that to be useful, browser vendors would have to start showing something other than a binary "secure" "not secure" setup to the user along with some of that info.
Also, it sounds like something that will be very easy to corrupt.
SSL Labs is a tool mainly used by the website owners/administrators, not so much by end users (and if at all an end user will then complain to the owner about a low rating).
Downgrading the rating because he used a "fishy" CA might motivate the website owner to switch to a CA with better standing. The bad CA will feel pressure to clear their standing.
the best hope is google itself doing it, since most users probably won't look at the secure vs secure-but-not-quite unless it's a scary warning page. Ranking websites lower though and the marketing departments will start calling.
> For example, a cert where the owner validated "netwi.ru" was able to add "mx.idisk.su", an entirely different domain, without validating it.
Now that's odd, because I know those two domains. I've even requested some certificates for them myself before (never had anything odd - I think I would've noticed if there was a way to add a domain without validation), but I left the company in January 2015.
It was my coworker requesting that certificate, and I've just found - still have the access to the servers as I help them with small issues on rare occasions - that at the same date it was issued (Feb 26, 2015) he had most certainly got a validation file (idisk.su.html) and put it into idisk.su's static root.
Webserver logs are, of course, long gone so can't really tell if it was actually accessed or not, but I think when I had requested certificates myself it was a wizard-style process where one got a file to download and the only next action was to validate it, no other way to proceed.
I don't doubt there was a severe bug. But this leaves me wondering whenever the analysis followed was really accurate (not saying it wasn't, but still sort of curious that it could be).
Where WoSign have demonstrated glaring incompetence and utter ignorance of security practices as an CA, I doubt these issues aren't violated at quite a few dozens of other CAs. These are good lessons for other CAs.
To me, the ultimate question is this: if we are trusting CAs as the 3rd party entity in order to make PKI schemes work, then who's going to be auditing the "supposedly trustworthy" party?
While I've seen some scripts to "blackhole" so-called bad/suspicious CAs, I have yet to find something that cleans things across the board for different browsers.
Apple's implementation of "Rootless" while useful for other things hasn't helped by denying the ability to remove certs unless one reboots into recovery and does "csrutil disable".
I started wondering this after they declined to remove StartSSL after the Heartbleed fiasco, and while I sort of understood the reasoning there in isolation, between that incident and this long list of WoSign violations, I'm really getting the sense that CA's are "too big to fail" and that the downsides of suddenly breaking huge parts of the internet on unsuspecting users mean that the threat of removing badly-behaving CA's is an empty one. What would a CA have to do to actually be removed, especially if they were to sign really huge sites?