Certificate Authority Gave Out Certs For GitHub To Someone Who Just Had A GitHub Account

from the oops dept

Fri, Aug 26th 2016 6:33am — Mike Masnick

For many years now, we've talked about the many different problems today's web security system has based on the model of security certificates issued by Certificate Authorities. All you need is a bad Certificate Authority to be trusted and a lot of bad stuff can happen. And it appears we've got yet another example.

A message on Mozilla's security policy mailing list notes that a free certificate authority named WoSign appeared to be doing some pretty bad stuff, including handing out certificates for a base domain if someone merely had control over a subdomain. This was discovered by accident, but then tested on GitHub... and it worked.

In June 2015, an applicant found a problem with WoSign's free certificate service, which allowed them to get a certificate for the base domain if they were able to prove control of a subdomain.

The reporter proved the problem in two ways. They accidentally discovered it when trying to get a certificate for med.ucf.edu and mistakenly also applied for www.ucf.edu, which was approved. They then confirmed the problem by using their control of theiraccount.github.com/theiraccount.github.io to get a cert for github.com, github.io, and www.github.io.

They reported this to WoSign, giving only the Github certificate as an example. That cert was revoked and the vulnerability was fixed. However recently, they got in touch with Google to note that the ucf.edu cert still had not been revoked almost a year later.

As you can imagine, this should be a cause for quite some concern:

The lack of revocation of the ucf.edu certificate (still unrevoked at time of writing, although it may have been by time of posting) strongly suggests that WoSign either did not or could not search their issuance databases for other occurrences of the same problem. Mozilla considers such a search a basic part of the response to disclosure of a vulnerability which causes misissuance, and expects CAs to keep records detailed enough to make it possible.

Mozilla also noted that WoSign never informed it of the earlier misissuance either. This is a pretty big mistake. The Mozilla post also calls out some questionable activity by WoSign in backdating certificates, but this first point is the really troubling one.

I recognize that until a better system is found, certificate authorities issuing certificates is about all we have right now for web security -- but, once again, it really seems like we need to be moving to a better solution.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: certificate authority, https, security, ssl, subdomains
Companies: github, mozilla, wosign

13 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 26 Aug 2016 @ 6:38am

Commerical CA
Is one of the biggest fucking scams the world over.

Seriously, you can pay assloads of cash for an EV Cert and for fucking nothing more than a few bits of encryption.

The idea that a 3rd party should be default trusted on any computing platform is the same as pulling your fucking pants down every time a rapist walks by. You are just fucking begging to be rapped! Every commercial CA has spies in them, and for very fucking damn good reasons!
[ link to this | view in chronology ]
Mason Wheeler (profile), 26 Aug 2016 @ 7:12am

Wow, what a bunch of gits!
[ link to this | view in chronology ]
bob, 26 Aug 2016 @ 7:45am

Perfect solution right here.
Trust everyone, everytime. After all people can't post stuff to the internet that isn't true.
[ link to this | view in chronology ]
- DannyB (profile), 26 Aug 2016 @ 8:57am
  
  Re: Perfect solution right here.
  I read it on the internet, so it MUST be true.
  [ link to this | view in chronology ]
pegr, 26 Aug 2016 @ 8:00am

The root problem
The root problem is having others make our trust decisions for us. Roam through the list of trusted CAs from a default Windows install. There are plenty that are highly questionable CAs(e.g. CAs controlled by a state actor, BS CAs, CAs with a history of doing stupid crap, etc.).

This is all in the name of making a "positive user experience". No, I can't explain to my grandmother how to choose what certs to trust and what certs not to. It's a kludge and always has been.
[ link to this | view in chronology ]
Ninja (profile), 26 Aug 2016 @ 8:25am

There are talks about making this certificate system based on the blockchain system. It's a generally good idea where every user in the chain has the same 'authority' and blocks can be excluded or added upon agreement. You'd need to compromise over 50 something % of the whole chain to actually get enough power to dictate the rules (correct me if I'm wrong).

Bitcoin has seen some concentration of decision power in the hands of the Chinese where the biggest coin farms reside so this could be a problem. Or not since there is nothing to farm. I'm not really an expert here so I'm only wondering.

In my opinion based on what I know it could be feasible.
[ link to this | view in chronology ]
- Anonymous Coward, 26 Aug 2016 @ 9:25am
  
  Re:
  there are already some almost-blockchain-type systems for certificates - the Certificate Transparency logs
  
  https://www.certificate-transparency.org/known-logs
  
  the problem is that some Certificate Authorities have such a HUGE number of certificate issued per month (e.g. LetsEncrypt) that they are banned from publishing new data to the logs.
  [ link to this | view in chronology ]
- Mason Wheeler (profile), 26 Aug 2016 @ 11:01am
  
  Re:
  Bitcoin has seen some concentration of decision power in the hands of the Chinese where the biggest coin farms reside so this could be a problem. Or not since there is nothing to farm.
  
  Nothing to farm? If anything, the incentive is exponentially greater here.
  
  Bitcoin is a fraud-plagued mess of a fringe currency experiment that's losing more and more prestige with each passing day. But put something of real value on the line, like the security of the fundamental infrastructure of the Internet, and you paint a massive target all over the entire system!
  [ link to this | view in chronology ]
- Kollawa, 27 Aug 2016 @ 2:28pm
  
  Re: blockchain based certs
  That's a terrible idea. Certs don't require community decision making of ownership but that the actual owner gets identified. That is why single party CAs are trusted. It is moving the risk from one party to another. What you are proposing almost guarantees that the risk is exponentially higher.
  [ link to this | view in chronology ]
Rodrigo Fernandes, 27 Aug 2016 @ 3:12pm

HPKP is the current solution for this problem.
You can sign your certificates with your own crt and do not need to fully relly on your CA. You always have the last part of the key.
[ link to this | view in chronology ]
- Mike, 30 Aug 2016 @ 7:47am
  
  Re: HPKP
  The only real solution, is placing the trust to the place your request took it's first bits: DNS
  
  DNSSEC has a nice feature called DANE, using TLSA records with the hash of your SSL certificate. Browsers can check the integrity of your DNS responses as well as the SSL certificate offered using the same infrastructure!
  [ link to this | view in chronology ]
  - Ricky, 30 Aug 2016 @ 10:30pm
    
    Re: Re: HPKP
    DANE, LOL That was killed off by the powers that be at a certain company. DANE doesn't exist anymore. I think I would know.
    [ link to this | view in chronology ]
- inde, 4 Sep 2016 @ 8:55pm
  
  Re:
  Exactly this. I can't believe people are actually blabbering on about fscking blockchain-based approaches, having no idea what they're talking about, when HPKP is the only real solution we have.
  [ link to this | view in chronology ]