x.509 broken by design
How many fingers are in that dyke already?
Mozilla wants to kick Chinese certificate authority (CA) WoSign out of its trust program. As well as being worried about the certs issued by WoSign, Mozilla accuses the company of buying another CA, StartCom, without telling anyone. In this lengthy analysis posted to Google Docs, Mozilla says its certificate wonks have "... …
X.509 is not (now) restricted to a hierarchical PKI model, but that's essentially the only way it's ever been deployed since RFC2459 first made it the basis of the "Internet X.509 Public Key Infrastructure Certificate and CRL Profile" in 1999.
It's a tricky problem working out whether you should trust someone you don't know - it's hard enough working out whether to trust someone you do know - and all the schemes I've seen rely on an introduction through one or more "reputable" third parties (whether they're certificate authorities or mutual acquaintances). All these schemes fall down if the "reputable" party is no such thing. At least in principle you could regulate a commercial indentity-provider and have legal sanctions against them if they were negligent - the biggest problem seems to be that there is no effective regulation of this critical piece of infrastructure and no real interest in there being any.
"We require that all CAs whose certificates are distributed with our software products notify us when its policies and business practices change in regards to verification procedures for issuing certificates, when the ownership control of the CA’s certificate(s) changes, or when ownership control of the CA’s operations changes."
That's a clear violation. Mozilla claims they have evidence in the public record, confirmed by a lawyer, that WoSign 100% owns StartCom and has since November 2015. Reading through the list, Mozilla has been generous in leaving their certs intact thus far.
More importantly, the lack of audit findings are damning both for WoSign and Ernst & Young (E&Y has a lot more to lose, of course).
I used StartCom about 10 years ago on my first domain. They offered free, low security SSL certs that became trusted by most browsers, eventually, with clear instructions for creation, installation, and maintenance. Essentially, they did what Let's Encrypt is trying to do now, but on a smaller, more commercial scale.
RIP StartCom. You were kind to me in a world full of pay services.
Ah China. The air's poison, the water's poison, the pet food is poison, the milk is poison, the shirts are poison (and burn), the drywall is poison, the century eggs are poison, the booze is poison, even the CERTS are poison.
This seems like something only the ground up penis of an endangered species can fix.
It's strange then, when I go there for a long stay, my extremely rare autoimmune problem gets better; and as soon as I come back to the "clean and green" west, I get bad again.
But yeah, cheating and cutting corners is endemic in Chinese business; they cant even build a bridge without stealing half the foundation concrete and replacing it with bags of household rubbish.
You can, it's just very annoying thanks to the UI. Tools > Options > Advanced > Certificates > View Certificates > Authorities > Delete or Distrust. Only it's impossible to sort the list, order by distrusted authorities, etc...
There must be a better way... an add-on or something.
Someone has to decide for everyone, because site owners need to know that you'll trust their certificate.
If you don't trust a CA then what are you personally going to do about it? All you can do is not use sites that use their certificate (which could be a big pain). If Mozilla don't trust a CA, then they basically put them out of business. That threat alone should encourage CA to be reputable.
Unless Google, Apple and Microsoft follow, Mozilla stands to lose market share: users want things that "just work" and if Firefox starts giving error messages, they might move to an alternative.
First, an old announcement about problems with SHA-1:
http://www.newsagencyblog.com.au/2016/06/02/if-you-are-running-windows-xp/
and secondly a blog posting, now deleted, but still in Bing's cache: try this link to archive.org or search Bing for the text below
https://tyro.com/blog/merchant-security-is-tyros-priority/
Merchant security is Tyro’s priority
Sascha Hess
27/09/2016
To summarise: after a SHA-1 to SHA-2 upgrade, some merchants had obsolete Point of Sale systems that were unable to connect. Tyro "reached out in good faith to certificate authorities to provide a few months runway to resolve this big challenge".
https://twitter.com/rmhrisk/status/782838192944713728
https://buy.wosign.com/free/?lan=en
Sorry, due to some security consideration,
WoSign decide to close the free SSL certificate application temporarily. Sept. 29th 2016.