Mozilla 對於 WoSign + StartCom 根憑證的新發展:拔除

Okay,在 Mozilla 的人跟 WoSign + StartCom + 360 的人談過後有了新的進展。

幾個小時前 Mozilla 提了新版的草案出來 (對,還是草案):「Remediation Plan for WoSign and StartCom」。但由於 Kathleen Wilson 跟 Gervase Markham 都沒有太多意見,我猜這應該會接近定案了。

這次的處分草案由 Kathleen Wilson 發出來,會包括這些 root certificate,可以看到包括了所有 WoSign 與 StartCom 的 CA:

1) Subject: CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN
2) Subject: CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN
3) Subject: CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, C=CN
4) Subject: CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN
5) Subject: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
6) Subject: CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
7) Subject: CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL

首先是認定這一連串的事件是惡意行為:

Based on the information that I have seen regarding WoSign, I believe that WoSign intentionally bent the rules in order to continue issuing SHA-1 SSL certs, when they knew full well that was no longer allowed. I also believe that the deception continued even after Mozilla directly asked WoSign about this. WoSign has lost my confidence in their ability and intention to follow Mozilla's policies.

所以打算採取與 CNNIC 類似的處分方法,但很不幸的由於規模不一樣,所以被迫採用另外的方式來處理:

Therefore, I think we should respond similarly to WoSign as we did to CNNIC [1][2]. Unfortunately, the number of certificates and the timescales involved are such that we prefer not to create a list of the domains for which previously-issued certs that chain up to the Affected Roots may continue to be trusted, so our approach will be a little different, as Gerv previously described[3].

這次處分的過程會包括四個項目,第一個是在 Firefox 51 會用黑名單的方式將這些 root certificate 擋下,但會信任 2016/10/21 前所發出的憑證以降低對目前網站的衝擊:

1) Distrust certificates chaining up to Affected Roots with a notBefore date after October 21, 2016. If additional back-dating is discovered (by any means) to circumvent this control, then Mozilla will immediately and permanently revoke trust in the Affected Roots.
-- This change will go into the Firefox 51 release train [4].
-- The code will use the subject key id (hash of public key) to identify the Affected Roots, so that the control will also apply to cross-certs of the Affected Roots.

然後將之前簽出來的 SHA-1 憑證列入 OneCRL:

2) Add the previously identified backdated SHA-1 certs chaining up to the Affected Roots to OneCRL.

另外一個非常大的事情是,Mozilla 將永久不信任安永香港的稽核報告:

3) No longer accept audits carried out by Ernst & Young Hong Kong.

Gervase Markham 做了補充「永久」的部份:

To be clear, this is a permanent ban, applicable worldwide, but only to the Hong Kong branch of E&Y. (If further issues are found with E&Y audits elsewhere, then we might consider something with wider scope.)

最後一個是移除 NSS 裡包的憑證:

4) Remove the Affected Roots from NSS after the SSL certificates issued before October 1, 2016, have expired or have been replaced.

在討論裡有提到 Firefox 與 NSS 的處置日期不太一樣的問題 (一個是 10/21,一個是 10/01),應該會在正式的定案時修正。

另外在「StartCom & Qihoo Incidents」這邊,Google 家的 Ryan Sleevi 也寫了一串,也許是他目前個人的看法 (但畢竟他是 Google 家主事的人之一),基本上的立場與 Mozilla 相同 (將 WoSign 與 StartCom 視為同一個單位,而且是刻意違反 Baseline Requirement),所以後續應該也會有動作了...

StartSSL 的認證出包

這幾天還蠻歡樂的新聞,StartSSL 的認證過程出包,可以用任何 email 收認證信:「StartSSL Domain validation (Vulnerability discovered).」。直接看這張圖就好:

這樣傳不是問題 (因為你還是可以在 server 端再確認一次),而是改了會動 (樂):

這家公司最近傳出好多負面新聞... (啊,我把他們家的 root certificate 標成 untrusted 一陣子了 XD)

StartSSL 將 auth.startssl.com 放在奇虎 360 的機房內

話說最近用 Nuzzel 用的還算開心,可以抓到不少文章,但意外的是這篇在 Nuzzel 上沒看到,是在 Allen OwnFacebook 時間軸上看到的 (這則)。

原文出自「Why I stopped using StartSSL (Hint: it involves a Chinese company)」。

最主要的安全問題在於 auth.startssl.com 放在中國公司奇虎 360 的機房內,而這是身份認證用的伺服器。基於中國是個人治而非法治的國家 (i.e. 無法確保 CA 的稽核機制是有效的),我決定把 StartSSL 的 root certificate 從 trusted chain 裡面拔掉,以免中獎...

把 SMTP 的 SSL certfiticate 弄起來...

網站的 SSL certificate 弄過很多次了,想說來測看看 MX host 的部份。弄好後就會像這樣,這是 Varnish 的 mailing list:

Received: from project.varnish-software.com (project.varnish-software.com [194.31.39.164])
        (using TLSv1 with cipher AES256-SHA (256/256 bits))
        (No client certificate requested)
        by home.gslin.org (Postfix) with ESMTPS id 9C2F568009A
        for ; Mon, 21 Sep 2015 08:46:30 +0800 (CST)

這是 nginx 的 mailing list 寄過來的信:

Received: from mail.nginx.com (mail.nginx.com [206.251.255.65])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by home.gslin.org (Postfix) with ESMTPS id 4A4F26801E0
        for ; Mon, 21 Sep 2015 08:25:37 +0800 (CST)

還有些 cipher 的細節晚點再看看有沒有辦法再調整好了... 因為 MX 這樣設定,這次也順便試著用 StartSSL 申請了好幾個 SSL certificate:

;; ANSWER SECTION:
gslin.org.              3600    IN      MX      20 mx20.gslin.org.
gslin.org.              3600    IN      MX      0 mx0.gslin.org.

因為有兩個 MX,所以申請了 mx0.gslin.orgmx20.gslin.org 的 SSL certificate。

接下來的設定主要是參考「Postfix TLS Support」裡面的文件,以及 Google 後找到的很多資料...

在申請到了 SSL certificate 之後要先把 intermediate certificate 合併,然後在 Postfixmain.cf 裡這樣設定:

#
smtpd_tls_cert_file = /etc/ssl/certs/mx0.gslin.org-intermediate.crt
smtpd_tls_key_file = /etc/ssl/private/mx0.gslin.org.key
smtpd_tls_received_header = yes
smtpd_tls_security_level = may

設好後就可以用「TLS Receiver Test」這個工具測試,輸入 admin@gslin.org 可以看到兩台都過了。

然後是對外送信的部份,發現 msa.hinet.net 也有支援 STARTTLS,所以 smart relay 也可以用,這部份可以透過 tcpdump -n -vvvv -A -i ppp0 host 168.95.4.211 確認。寄出來的結果會是這樣:

Received: from home.gslin.org (114-32-152-63.HINET-IP.hinet.net [114.32.152.63])
	by msr9.hinet.net (8.14.9/8.14.9) with ESMTP id t8L2l1gU006249
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
	for ; Mon, 21 Sep 2015 10:47:01 +0800 (CST)

而 Postfix 的設定是這樣設的:

smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = encrypt
smtp_use_tls = yes

用 StartSSL 申請免費 SSL 憑證的說明...

鑑於 NSA 監聽的關係 (國內最近也很流行這套?),最近國外介紹 StartSSL 的文章又熱門起來了:「Switch to HTTPS Now, For Free」。

不過因為 StartSSL 多了憑證驗證的問題,使得一般人申請變得相當麻煩,所以就有很多文章介紹 :o

這邊的 Generate Private Key 並不是你打算申請的 HTTPS 要用的,而是個人憑證...

這次這篇介紹文用了大量的圖片截圖,並且把產生 private key 以及 csr 的指令都列出來,後面還教你怎麼設定 nginx,相較於其他文件,應該是很清楚了...