back to article Chinese CA hands guy base certificates for GitHub, Florida uni

A Chinese certificate authority handed out a base certificate for GitHub and the Univerisity of Central Florida to a mere user in a significant security blunder. British Mozilla programmer Gervase Markham reported the incident on the browser baron's mailing list saying it occurred more than a year ago in July 2015 but went …

  1. frank ly

    You can't trust anybody

    I've said it before and it looks like I'll keep on saying it.

    Why is a Chinese CA capable of handing out a base certificate for Github and a University in Florida? That's a genuine puzzled question because I don't know how certificate issuance is organised and managed.

    1. Fuzz

      Re: You can't trust anybody

      Any CA can issue a certificate for any CN. I can issue you a certificate for github if you want. Difference is if I issue you a certificate nobody will trust it. The problem is that there are too many trusted CAs in browsers and they clearly aren't audited correctly.

    2. Paul Crawford Silver badge

      Re: You can't trust anybody

      It is a fundamental problem with the whole system. Basically it takes only 1 out of hundreds of CAs to issue a mistaken or malicious certificate and the chain of trust is broken. As such, it is not really anything you can trust at all. CA pinning is an attempt to reduce the scope of such failures, but it is a band-aid to the situation.

      But then many folk just ignore browser warnings anyway :(

      1. Doctor Syntax Silver badge

        Re: You can't trust anybody

        "many folk just ignore browser warnings anyway"

        Maybe the solution is to add a further category for whom the "Ignore these warnings" buttons are greyed out.

        1. Midnight

          Re: You can't trust anybody

          "Maybe the solution is to add a further category for whom the "Ignore these warnings" buttons are greyed out."

          Perhaps an "I am aware of the risks" checkbox could help. Activating that and also pressing the "Ignore these warnings" button would not actually bypass the certificate warning, but instead open up a large text box with the caption "Then tell us what you think they are".

        2. Anonymous Coward
          Anonymous Coward

          Re: You can't trust anybody

          This is called HSTS...all certificate errors are fatal, they can't click through. Again, sadly lacking in today's websites...

      2. Charles 9 Silver badge

        Re: You can't trust anybody

        Trouble is, there's no real alternative that can't ALSO be subverted by a determined or well-backed adversary.

        1. Lee D Silver badge

          Re: You can't trust anybody

          There's no reason that website's can't crytographically sign a message in DNS that tells you what CA's are valid for them.

          In fact there are protocols for exactly that.

          Done properly, even the people who control DNS can't interfere (they can only "break" the chain, which is obviously visible).

          But nobody has ever sat down and fixed email either, and that's much more important.

          1. Charles 9 Silver badge

            Re: You can't trust anybody

            "There's no reason that website's can't crytographically sign a message in DNS that tells you what CA's are valid for them."

            Yes there is. A determined adversary can still pose as you by stealing your key OR usurp your identity before you have a chance to establish it.

            1. Jon 37
              Boffin

              Re: You can't trust anybody

              @Charles 9: In theory, those attacks don't work, because the standard for certificates-in-DNS (DANE) requires DNSSEC, which digitally signs all the DNS responses. Which basically means that Verisign becomes the CA for all .com domains, Nominet for all UK domains, etc.

              You can read more about DANE here:

              https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities

              However, there are problems with DANE and DNSSEC:

              https://www.imperialviolet.org/2015/01/17/notdane.html

              1. JamesSmith1

                Re: You can't trust anybody

                @Jon37: but to work with most browsers you need to install a plug-in to have DANE, afaik https://chrome.google.com/webstore/detail/dnssec-validator/feijekkdahhnjbhpiffgejphmokchdbo

                https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities#Support

            2. Paul Crawford Silver badge

              Re: You can't trust anybody

              You will never stop a SUFFICIENTLY determined and well funded advisory. But the current system is routinely screwed up by incompetence (here), or by a local CA being leaned upon or hacked by a government (see http://www.theregister.co.uk/2011/09/09/gmail_diginotar_security_alert/ for example).

              1. Charles 9 Silver badge

                Re: You can't trust anybody

                "...or by a local CA being leaned upon or hacked by a government"

                That's PRECISELY the part I'm talking about. No DANE or whatever can fix that because they'll just go straight to the top. What's to say the US isn't ALREADY chummy with Verisign?

        2. Anonymous Coward
          Anonymous Coward

          Re: You can't trust anybody

          The whole system is fucked. You are -of necessity- giving a foreign company access to your encryption and I don't believe any of them can be trusted. The only certificate I would even have the vaguest of faith in is one I'd issued myself and you can't do that because browsers crap themselves and splatter warnings all over the place. Also nobody else would trust it.

          And talking of trust, you hear the various security agencies whine about Telegram and WhatsApp all the time, yet I've never heard a peep out of them about HTTPS. It seems reasonable to assume that is because HTTPS is not a problem for them.

      3. cd

        Re: You can't trust anybody

        If I start out with a fresh install, Seamonkey warns me about my own shared server account and tries to prevent me from loading the cPanel login. I know I'm at the correct URL, after logging in it works, but I have to go through contortions to get there.

        Perhaps the warnings are justified and my host sucks, but all of their other behaviors seem sanitary. It's no wonder that many people just click through. Most messages are gibberish to a user, despite how we feel they are clear. More work needs to be done in this area so that users can learn more than merely how to get around them warnings.

        Looking around, I found this plugin, it installed on an Aurora-build Seamonkey and works, in the sense that I now have lots of pop-ups... https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/

        1. Charles 9 Silver badge

          Re: You can't trust anybody

          "Perhaps the warnings are justified and my host sucks, but all of their other behaviors seem sanitary. It's no wonder that many people just click through. Most messages are gibberish to a user, despite how we feel they are clear. More work needs to be done in this area so that users can learn more than merely how to get around them warnings."

          You assume people are capable of learning. Many simply lack the aptitude yet expect to be able to get on with their lives without they or their loved ones being suckered.

          1. Danny 14

            Re: You can't trust anybody

            There is only so much tinfoil ypu can put on your head. I trust DANE cert calls more than a random Chinese CA.

            1. Anonymous Coward
              Anonymous Coward

              Re: You can't trust anybody

              I don't trust anybody. And at least the Chinese guys have to hire a translator and take interest in something that's happening a continent away.

              I don't do anything especially confidential; but if I did you can be absolutely fucking sure an established CA authority would be no part of it.

            2. Charles 9 Silver badge

              Re: You can't trust anybody

              "There is only so much tinfoil ypu can put on your head. I trust DANE cert calls more than a random Chinese CA."

              I don't trust metal foil. They work as ANTENNAE, and we already KNOW the US is ACTIVELY trying to subvert secure communications. Having chums within the likes of Verisign would be NORMAL for them.

        2. Karl Austin

          Re: You can't trust anybody

          Yes they do suck if they've not secured their control panel login pages with a CA signed SSL.

  2. Paul

    Am I the only person who goes through the list of CAs in my browsers and removes most of them?

    Though I admit, I don't do that nearly as often as I should.

    1. Ken Hagan Gold badge

      "Am I the only person..."

      I doubt it. I don't, but reading this article makes me wonder if I should delete *all* the trusted roots (because that's an easy policy to follow) and then treat every site as an exception. Has anyone out there tried this? Is it practical (especially with more and more sites switching to https by default)? Is there an option in the browser to "dis-trust everyone" (so that I don't have to keep emptying my trusted roots)?

    2. Anonymous Coward
      Anonymous Coward

      but doesn't your OS just add them back when you are not looking?

      here's a guide to stop that happening

      https://certsimple.com/blog/control-the-ssl-cas-your-browser-trusts

      [someone]once remarked that commercial certificate authorities could be expected to “protect you from anywhere from whom they are unwilling to take money”. This indictment of the certificate authority system stems from the observation that CAs are paid per certificate issued, and, more broadly, that certificate purchasers, not relying parties, are the CAs' direct customers.. . .

      [The] EFF's SSL Observatory has been assembling a large public database that examines how certificates are used in practice on the web. Even at a first glance, data from the Observatory shows that many CAs have continued to issue certificates that are problematic in several ways, including short subject key lengths, continued use of weak or compromised subject keys, and issuing certificates for private or non-fully-qualified domain names. Unfortunately, CAs advised of such problems have not always acted expeditiously to notify subscribers or revoke these certificates.

      it might slowly be getting better. . . ?

    3. Dan 55 Silver badge
      Unhappy

      Browser certificate user interfaces are atrocious, they hasn't changed in about two decades. They should...

      - have a list of favourite CAs you might want easy access to temporarily (dis)enable

      - be able to show CAs in a tree view by continent and country so you can disable everything inside a selected branch because you're never going to be interested in them and they'll only be a cause of security problems

      And that's off the top of my head.

      1. Anonymous Coward
        Anonymous Coward

        > be able to show CAs in a tree view by continent and country so you can disable everything inside a selected branch because you're never going to be interested in them

        Frankly, that is a remarkably stupid idea. Everyone would end up with the US enabled plus perhaps one or two other countries, effectively turning the SSL industry into more of a US controlled business than it already is. And I think we are all aware of how much we can trust the CAs in the face of a "sufficiently persuasive" party, able to do a lot more damage to trade, industry, and society, than some random bloke occasionally blagging a couple certs for a domain or two.

        1. Danny 14

          Android does have one neat trick. It forces you to add security to your device when you add a custom (domain CA in our case) cert. Sick of seeing peoples phones without even basic security.

    4. Anonymous Coward
      Anonymous Coward

      > Am I the only person who goes through the list of CAs in my browsers and removes most of them?

      No.

      Be aware that when you do the same in Android, the fucker doesn't seem to have a specific error code for "couldn't validate the certificate on this TLS connection I was trying to make" so expect seemingly random errors from various applications. If that happens, find out where the application is trying to connect to, who signed their certs, and re-enable that particular CA (or stop using the application).

  3. Adam 1

    Removal instructions for Wosign CA please. Android + Windows

    Asserting ownership of a given CN is the one and only job of a CA. If they can't do that properly, their public keys are of no use to me.

    1. Ken Hagan Gold badge

      Going further, we have a collection of "Trusted Roots" but do we also need a collection of "Dis-trusted Roots"? Simply removing a CA from the former list means that its certificates will show up as someone the browser hasn't heard of, but that's nothing like as alarming as "I've heard of them and they are rubbish.".

      If memory serves, Windows has a "Revoked" list for actual certificates, but no equivalent list for authorities. (Happy to be told I'm wrong on this count.)

    2. Anonymous Coward
      Anonymous Coward

      Re: Adam1

      https://certsimple.com/blog/control-the-ssl-cas-your-browser-trusts

      this page from last year showed that adjusting Android's 'trust' is very easy, whilst Windows takes some effort

      CA/BF (certificate authority & browser forum) has attracted comments like this (from 2012)

      First, the Forum includes no representatives from the public or from CAs' customers--these are commonly referred to by CAs as "Relying Parties" and "Subscribers," respectively. This is troubling, given that these are the entities that are most at risk from poor policies or practices. Second, the Forum conducts its business largely in secret, with little public transparency into the process by which policies are developed and implemented. While there may be benefits to keeping some security vulnerability information private for short amounts of time, there is no compelling reason to do most of the Forum's work in private.

      I have met people who work with the CA/BF, and I would quite like something better!

      That seems to be 'not yet available' perhaps deliberately? - after all what could possibly be wrong with a system designed (and mostly stuck in) 1995 levels of 'security' & 'trust'

      1. Charles 9 Silver badge

        "That seems to be 'not yet available' perhaps deliberately? - after all what could possibly be wrong with a system designed (and mostly stuck in) 1995 levels of 'security' & 'trust'"

        You have to follow that up with "compared to anything else on offer". Then you find yourself caught in a First Contact Problem. Meaning there's no practical solution.

      2. Adam 1

        Done. Thanks

        1. Danny 14

          Windows will let you add disallowed 'CA trusted root' thereby not utilising a CA. Im not sure in Linux but i bet you can do something similar. The beauty of using disallowed is that it doeant matter if an update changes a CA if it is disallowed.

  4. Pascal Monett Silver badge

    "the company would 'do better'"

    Of course they will.

    They can't do any worse.

    1. Doctor Syntax Silver badge

      Re: "the company would 'do better'"

      "They can't do any worse."

      Unfortunately it's a ternary choice. Continue to do as badly remains an option.

    2. Stoneshop Silver badge
      Windows

      Re: "the company would 'do better'"

      They can't do any worse.

      They can, though they might need to hire external "expertise" to achieve "better" results.

      1. Version 1.0 Silver badge

        Re: "the company would 'do better'"

        It would be interesting to see how many other similar certificates they have issued ...

  5. Your alien overlord - fear me

    And if you check their own website certificate

    Chrome says they use the obsolete TLS 1.2 for connections. Surely as a CA they should do better?

    1. Dan 55 Silver badge

      Re: And if you check their own website certificate

      TLS 1.2 may be obsolete but it's the best we have at the moment unless you mean they should be using an experimental protocol.

  6. Anonymous Coward
    Anonymous Coward

    Commerce screwing up a decent system?

    I think the main problems are caused by the commerce sections. Because let's be realistic here: the best you can hope for with HTTPS is that the contents of the website you're visiting is encrypted and this would block 3rd party listeners. Here is step one where the commerce ruined things: advertisements. Because those are highly important and should be included, who cares if you end up with a website which mixes encrypted with unencrypted data? Fortunately my browser cares and blocks all of that by default.

    And then you got companies which suddenly tried to sell "identities": using HTTPS for something it was never really intended for: to put (theoretical) trust in a domain name where the browser would show you that whatever you're visiting is really "real".

    But in the end the one thing which really matters is that the data between the webserver and the visitor gets encrypted. And many people seem to forget all about that.

    1. Charles 9 Silver badge

      Re: Commerce screwing up a decent system?

      No, the REAL real problem is that the connection is getting subverted OUTSIDE the encryption envelope. What good is a secure connection if the SERVER is hacked? What good is a certificate if it can be duped? What good is your end if it was previously pwned and can therefore read everything in the clear because it MUST be decrypted to be visible?

      Worst part is that this trust issue is not a problem technology can solve. It's pretty much entirely a HUMAN thing, and we're at the point we can't trust ANYONE anymore (including OURSELVES).

  7. Anonymous Coward
    Anonymous Coward

    If only...

    ...there was a technology to check a certificate hash against an entry in domain's DNS record.

    1. Charles 9 Silver badge

      Re: If only...

      Anyone worth their salt can get a fake record into the DNS, either through sovereign power or by social engineering.

      1. Anonymous Coward
        Anonymous Coward

        Re: If only...

        > Anyone worth their salt can get a fake record into the DNS, either through sovereign power or by social engineering.

        As I understand, easiest way remains DNS hijacking.

        1. Anonymous Coward
          Anonymous Coward

          Re: If only...

          Getting a certificate issued incorrectly... maybe... Hijacking DNS TLSA entries without people noticing... maybe - although you don't hear of too many web sites being taken off the net this way...

          Both at the same time? Sure it's conceivable, but at least you're in serious attacker space now, rather than oopsie territory. Those are two completely separate sources of identity information...

          1. Charles 9 Silver badge

            Re: If only...

            "Both at the same time? Sure it's conceivable, but at least you're in serious attacker space now,"

            But given what we've been hearing lately, quite probably already in action.

  8. GrapeBunch

    The long road out of this valley.

    Remember the programs that would import bookmarks from all your browsers and then export a combined list to any of them? They've been partly superseded by in-browser facilities that store your bookmarks in the cloud. Neither solution has been ideal. I wonder if we can't expand the original concept to import and export CAs and heck, anything your browser or OS has a list of, with fine filtering capability (for example, I don't want bookmark X to appear in browser Y because it doesn't properly render X's pages; or I don't want bookmark Z to appear when my device is connected to a less than 100% trusted WiFi; or I want my Windows computers to NUL any transmission to certain IPs, but on an Android machine that would be irrelevant; I don't want CA W to be trusted on the machine where I do my banking ...). Would such a thing be a good foss-project?

    The thought of each user editing his CA list, separately in each browser, on each device, is a forlorn one. What you want is to be able to import a list from somebody that you (really) trust, while maintaining whatever distinctions you've already made. At the same time, I understand why browsers would not want your CA list to be easily editable. They don't want malware to be able to get at it.

    Another possible collaborative project is a single program that would update tags in your images, audio, video, and ... files, rather than four or more separate programs. Same sort of concept, just no security-consciousness required. Thank you for reading this naïve overview.

    1. Charles 9 Silver badge

      Re: The long road out of this valley.

      "What you want is to be able to import a list from somebody that you (really) trust,"

      And therein lies your problem. ANYONE you could potentially trust for this could easily be doubled without your knowledge. That's the big problem with First Contact: there's no possible way to fully vet a total stranger because you simply don't know anything about him or her outside your own context, and ANY knowledge you could obtain from third parties could just as likely be faked.

      PS. As for tagging, the reason they're separate is because the standards update independently. Any program that tried to do everything gets into a problem when one of the standards updates separately from the rest: possibly in a conflicting way.

  9. Anonymous Coward
    Anonymous Coward

    A far bigger issue....

    ... are CAs that allow HTTP based domain control validation.

    Imagine an every day situation for many 1000s of sites:

    - Running Wordpress

    - Gets hacked, hackers place files on the server

    - Oh look, one of those files in a DCV file.

    I've now just confirmed I control your domain and got a cert issued with a CSR I generated and control the private key file for. I can now use that cert and do whatever I need to do to direct people to my server not yours.

  10. aberglas

    Secure remote password is the answer

    The only good thing about PKI is that it allows Verisign et al make money selling certs. And the NSA to subvert them.

    The biggest hole is that it relies on end users validating URLs, which does not happens.

    Secure remote password is the answer.

    https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol

    Or even the simple Nonce/Digest approach built into every browser since Navigator would help.

    1. Charles 9 Silver badge

      Re: Secure remote password is the answer

      No, because it relies on prior knowledge to work, useless in a First Contact scenario. And any remote attempt to pass a shared key during First Contact, Eve or Mallory could intercept.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020