A Chinese firm has apparently been undermining Internet security by issuing weak web security certificates — what makes that lock appear next to a website address that shows users the domain is secure — among other big issues.
Researchers at Mozilla put together a lengthy technical analysis of their find, which alleges that Shenzhen-based WoSign was handing out certificates for websites to people who had no business getting them, or backdating their date of issuance to get around security protocols.
WoSign is a certificate authority, which means it’s trusted to issue valid credentials to website owners so their users can visit their sites and know everything is ok. When you visit a website like Amazon, for example, you’ll see a lock next to the web address which you can click and examine. That certifies to users and website administrators that their data is safely moving back and forth through an encrypted tunnel, so outsiders can’t eavesdrop on or intecept it.
Without it, credit cards, personal information, and whatever else can possibly be intercepted. Or, if a hacker were able to obtain a valid certificate for a website like Amazon, they could conduct a man-in-the-middle attack, potentially modifying data from a user before it reaches the server.
And that’s exactly what a systems administrator at the University of Central Florida found.
Late last month, Stephen Schrauger wrote a blog post about how he was able to obtain an SSL certificate for the domain Github.com — the super popular code-sharing website used by millions of developers. Needless to say, Schrauger does not own Github.com.
“WoSign signed my certificate, and lo and behold, I had a certificate
that was valid for github.com, github.io, www.github.io, schrauger.github.com, and schrauger.github.io,” he wrote. “I set up a test website on my local machine that responded to GitHub’s domains. I loaded the site, saw that the location was https://github.com, and the browser said my connection was encrypted by a valid certificate signed by WoSign.”
It’s common practice for certificate authorities (CA) to verify someone owns a website by giving them a text file to upload. A domain administrator takes the file, uploads it to their server, then the CA looks and sees that file there, and presto, they know the person can be trusted. And that’s what Schrauger did for his subdomain on Github, schrauger.github.com.
But WoSign wasn’t distinguishing between a subdomain and the main one. And Schrauger found that basically anyone with a subdomain could get a valid certificate. Just think of the possibilities: All you’d need to prove is ownership of yourdomain.tumblr.com and you could mess with people on Tumblr, for example.
It gets worse
According to Mozilla, WoSign was also backdating certificates it was issuing that offered super weak security — even though most Internet companies have agreed to phase them out. Those certs used SHA-1 encryption, which is slowly being phased out in favour of the much stronger SHA-256.
This is important, because plenty of web browsers will be banning the use of the SHA-1 by websites next year. As part of the phaseout, browser developers like Mozilla have forbidden CAs from issuing new certificates with the old encryption anytime after Jan. 1, 2016.
But WoSign found a workaround — backdating these weak certs before that date. And Mozilla is not happy.
“Mozilla believes that continued public trust in the correct working of the CA certificate system is vital to the health of the Internet, and we will not hesitate to take steps such as those outlined above to maintain that public trust,” Mozilla researchers wrote in their analysis. “We believe that the behaviour documented here would be unacceptable in any CA, whatever their nationality, business model or position in the market.”
Further, WoSign didn’t report that it acquired a rival CA called StartCom, according to Mozilla — despite that being a requirement for CA’s.
This is a huge no-no. Breaks trust in anything from that authority. And the evidence is incredibly strong, based on brilliant tech analysis.
— Anil Dash (@anildash) September 28, 2016
Besides its huge listing of problems with WoSign and StartCom, Mozilla also called out WoSign’s auditors Ernst & Young in Hong Kong, which it said “failed to detect multiple issues they should have detected.”
Mozilla is considering a year-long ban on WoSign, and it’s very likely that other browsers will also consider such a move.
A Google spokesperson told Ars Technica they were investigating the matter on Monday. (Google declined to comment further to Business Insider.) WoSign also did not respond to a request for comment.
Disclosure: Jeff Bezos is an investor in Business Insider through hispersonal investment company Bezos Expeditions.
NOW WATCH: Turns out LA’s shade balls actually worked
Business Insider Emails & Alerts
Site highlights each day to your inbox.