雖然平常早就把 WoSign 移除信任,但在「Mozilla考虑对沃通CA采取行动」這邊看到有趣的消息,翻了一下 Gervase Markham 發表的原文還蠻精彩的:「Incidents involving the CA WoSign」。
第一次事件 (Incident 0) 是在 2015/04/23,攻擊者只要能夠證明他能控制某個 TCP port,就會發出 certificate:
On or around April 23rd, 2015, WoSign's certificate issuance system for their free certificates allowed the applicant to choose any port for validation. Once validation had been completed, WoSign would issue certificates for that domain. A researcher was able to obtain a certificate for a university by opening a high-numbered port (>50,000) and getting WoSign to use that port for validation of control.
設計不良造成的資安事件總是會發生。重點在於 Google 知道,但 Mozilla 完全不知道:(我講得很保守是因為這個句子在 thread 後面被澄清解釋的更慘,參考後文)
This problem was reported to Google, and thence to WoSign and resolved. Mozilla only became aware of it recently.
更嚴重的是,這次的事件在 WoSign 的稽核上沒有出現:
* This misissuance incident did not turn up on WoSign's subsequent BR audit[1].
第二次事件 (Incident 1) 是在 2015 年六月,也是資安設計的問題,當你可以拿到 WoSign 所指定的 subdomain 控制權後,你就可以拿到 parent domain 的 certificate,而這次甚至被拿到 GitHub 全系列的 certificate:
The reporter proved the problem in two ways. They accidentally discovered it when trying to get a certificate for med.ucf.edu and mistakenly also applied for www.ucf.edu, which was approved. They then confirmed the problem by using their control of theiraccount.github.com/theiraccount.github.io to get a cert for github.com, github.io, and www.github.io.
嗯,也沒通報:
* This misissuance incident was not reported to Mozilla by WoSign as it should have been (see above).
嗯,稽核也沒出來:
* This misissuance incident did not turn up on WoSign's subsequent BR audit[1].
嗯,被拿到的 domain (ucf.edu
) 也沒 revoke:(可以從「crt.sh | 29647048」這邊看到)
They reported this to WoSign, giving only the Github certificate as an example. That cert was revoked and the vulnerability was fixed. However recently, they got in touch with Google to note that the ucf.edu cert still had not been revoked almost a year later.
第三次事件 (Incident 2) 則是在 2016 年七月,由於現在大多數的瀏覽器都會對 2016 後簽出的 SHA-1 憑證直接標示為不安全,而 WoSign 的 API 提供造假,讓簽名日期 (notBefore
) 簽在 2015/12/20:
Using the value "1" led to a certificate which had a notBefore date (usage start date) of 20th December 2015, and which was signed using the SHA-1 checksum algorithm.
嗯,然後否認造假:
* WoSign deny that their code backdated the certificates in order to avoid browser-based restrictions - they say "this date is the day we stop to use this code"[4]. If that is true, it is not clear to us how StartCom came to deploy WoSign code that WoSign itself had abandoned.
嗯,然後還是沒有回報給 Mozilla:
* This misissuance incident was not reported to Mozilla by WoSign as it should have been.
稽核報告應該是因為這太新,還沒開始做?
另外在 thread 討論時,Google 的 Ryan Sleevi 澄清的更慘:
Clarification: In none of these incidents was Google notified proactively by WoSign. Instead, Google received communication from internal or external researchers regarding these issues, either prior to resolution or much later after the fact, and subsequently contacted WoSign regarding them.
It was only when Google found out recently that other programs were NOT notified, proactively, as had been expected, that Google shared the details it was aware of regarding various CA incidents, including those of WoSign, mentioned in this thread.
也就是說,是 Google 主動發現這些問題,並且通報 WoSign。後來過了許久發現 WoSign 沒有照規定通報其他 CA Root 管理單位 (以這邊來說是 Mozilla),於是 Google 決定主動通報其他單位,然後大~爆~炸~
在密碼學理論裡,CA 架構是靠著稽核建立信任的,這次的事情又再次證實這個問題 (但目前沒有其他好的機制可以做)。來猜測下場的話,我的預期是會像拔掉 CNNIC 的作法拔掉信任,但針對之前發出的 certificate 設為白名單 (直到過期):