Chinese root CA issues rogue/fake certificates

Thu Sep 1 01:36:57 UTC 2016

On Wed, Aug 31, 2016 at 10:45:48AM -0800, Royce Williams wrote:
> Hypothetically, it would be an interesting strategy for a CA to
> publicly demonstrate this level of competence:
> 
> https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-certificate-for-github-com
> 
> ... while at the same time taking over another large install base like
> StartSSL's (an install base fueled by offering free certs).
> 
> If one got caught doing something naughty, one could buy time by A)
> playing the incompetence card a few times, and B) having a large
> enough deployment that it becomes non-trivial for the browsers/OSes to
> revoke you outright.

Honest Achmed's business model wins again!

I'm pretty sure that's how this is going to go down here, too, incidentally
-- there's just waaaay too many sites using WoSign (and StartCom) for the
CAs' roots to just be pulled.  Sad, but true.

> Also, this is a cautionary tale about certificate diversity.
> 
> Because of relative issuer stability, orgs have had the luxury of
> depending wholly on a single cert supplier. The risk/continuity folks
> might want to model some "one of our major certificate issuers just
> got globally revoked" scenarios - if they haven't already.

I'd be surprised if most business continuity people could even name their
cert provider, and most probably don't even know how certs come to exist or
that they *can* be made useless on a wide scale by the actions of,
seemingly, an unrelated third party.  It's a system nearly without
precedent, when you think about it.  In fact, my gut feel is that, if they
really understood the system, most risk/continuity folks would scream "are
you f**king kidding me?  That's ridiculous!".

Thanks, Netscape.  Great ecosystem you built.

- Matt

-- 
Talk about unlucky. D'you know, if I fell in a barrel of tits I'd come out
sucking me thumb.
		-- Seen on the 'net:
 http://thelawwestofealingbroadway.blogspot.com/2006/01/bang-to-rights.html