Flickr / Qfamily
A Chinese firmhas apparently beenundermining Internet security by issuing weak web security certificates ― what makes that lock appear next to a website address that showsusers the domain is secure ― among other big issues.
Researchers atMozilla put together a lengthy technical analysis of their find, which alleges that Shenzhen-based WoSign was handing out certificates for websites to people who had no business getting them, or backdating their date of issuance to get around security protocols.
WoSign is a certificate authority, which means it'strusted to issue valid credentials to website owners so their users can visit their sites and know everything is okay. When you visit a website like Amazon, for example, you'll see a lock next to the web address which you can click and examine. That certifies to users and website administrators that their data is safely moving back and forth through an encrypted tunnel, so outsiders can't eavesdrop on or intecept it.
Without it, credit cards, personal information, and whatever else can possiblybeintercepted. Or, if a hacker were able to obtain a valid certificate for a website like Amazon, they could conduct a man-in-the-middle attack, potentially modifying data from a user before it reaches the server.
And that's exactly what a systems administrator at the University of Central Floridafound.
Late last month, S tephen Schrauger wrote a blog post about how he was able to obtain an SSL certificate for the domain Github.com ― the super popular code-sharing website used by millions of developers. Needless to say, Schrauger does not own Github.com.
A legitimate certificate. Paul Szoldra
"WoSign signed my certificate, and lo and behold, I had a certificate that was valid for github.com, github.io, www.github.io, schrauger.github.com, and schrauger.github.io," he wrote. "I set up a test website on my local machine that responded to GitHub's domains. I loaded the site, saw that the location was https://github.com, and the browser said my connection was encrypted by a valid certificate signed by WoSign."
It's common practice for certificate authorities (CA) to verify someone owns a website by giving them a text file to upload. A domain administrator takes the file, uploads it to their server, then the CA looks and sees that file there, and presto, they know the person can be trusted. And that's what Schrauger did for his subdomain on Github, schrauger.github.com.
But WoSign wasn't distinguishing between a subdomain and the main one. And Schrauger found that basically anyone with a subdomain could get a valid certificate. Just think of the possibilities: All you'd need to prove is ownership of yourdomain.tumblr.com and you could mess with people onTumblr, for example.
It gets worseAccording to Mozilla, WoSign was also backdating certificates it was issuing that offeredsuper weak security ― even though mostInternet companies have agreed to phase them out. Those certs used SHA-1 encryption , which is slowly being phased out in favor of the much stronger SHA-256.
This is important, because plenty of web browsers will be banning the use of the SHA-1 by websites next year. As part of the phaseout, browser developers like Mozilla have forbidden CAs from issuing new certificates with the old encryption anytime after Jan. 1, 2016.
But WoSign found a workaround ― backdating these weak certs before that date. And Mozilla is not happy.
A man is seen next to a Firefox logo at a Mozilla stand during the Mobile World Congress in Barcelona Thomson Reuters
"Mozilla believes that continued public trust in the correct working of the CA certificate system is vital to the health of the Internet, and we will not hesitate to take steps such as those outlined above to maintain that public trust," Mozilla researchers wrote in their analysis. "We believe that the behavior documented here would be unacceptable in any CA, whatever their nationality, business model or position in the market."
Further, WoSign didn't report that it acquired a rival CA called StartCom, according to Mozilla ― despite that being a requirement for CA's.
This is a huge no-no. Breaks trust in anything from that authority. And the evidence is incredibly strong, based on brilliant tech analysis.
― Anil Dash (@anildash) September 28, 2016Besides itshuge listing of problems with WoSign and StartCom, Mozilla also called out WoSign's auditors Ernst & Young in Hong Kong, which it said "failed to detect multiple issues they should have detected."
Mozilla is considering a year-long ban on WoSign, and it's very likely that other browsers will alsoconsider such a move.
A Google spokesperson told Ars Technica they wereinvestigating the matter on Monday. (Google declined to comment further to Business Insider.) WoSign also did not respond to a request for comment.