If I understand certificate transparency correctly, StartCom's actions will be fully and publicly auditable, in real time.
This means one vector of attack : Chinese government requesting google.com certificate from them, and MITMing it's citizen would not be possible. To any CT experts: is my assessment correct?
One, it's notice of attack, not prevention of attack. StartCom (or an attacker in possession of their private key) can issue a perfectly valid google.com certificate, it's just going to be visible to the world that that's what happened.
Two, while Google is presumably watching CT logs for google.com certificate issuances, I'm certainly not watching my personal website. I suspect most people aren't, so they could probably get away with issuing e.g. a shadowsocks.org certificate and have a few days of successful attack before anyone notices. This is probably not what you want for dragnet surveillance, but it's great for an attack against an individual (whether conducted by a government or just some private party).
So yes, the state of the world is quite a bit better than it was before CT, but adding CAs remains a risk. They're only worth adding if there's a reason to do it. (StartCom's free certificates used to be a really good reason.)
There are various free services that will email you whenever a cert for one of your domains shows up in the CT logs. It's a good idea to sign up for one. (It would be an even better idea for domain registrars to automatically sign you up for one.) Here's one that Facebook operates: https://developers.facebook.com/tools/ct/
Startcom was a previously-independent and reputable company until it was acquired by WoSign, so I might be willing to give them another shot, assuming they can scrub themselves of any lingering effect of WoSign's scummy practices.
You misunderstand me. I know that WoSign is crap. I would not ever trust WoSign again.
My point is that Startcom seemed decent until they were acquired by WoSign and started adopting their shady practices. If they are completely disentangled from WoSign, I might be willing to trust them again.
To be fair to the parent comment, your original comment as it is written says the exact opposite; that you'd be willing to trust them due to the acquisition.
Startcom was crap long before then. Rather infamously, they made people cough up $25 per cert to revoke heartbleed-compromised ones (when a simple freaking re-key fixes the problem and was supported by most reputable CAs)
Startcom is just a name now, unfortunately. Neither the infrastructure nor employees were retained. Eddy Nigg is no longer involved, and all the Israeli employees were laid off when WoSign bought them.
> What's the benefit for Firefox users of including StartCom?
I think there is some benefit to maintaining a healthy ecosystem of multiple competing, independently operated CAs. The benefits of including StartCom are no different from that of any other CA in that regard.
Aside from that though, not much. Although... wasn't StartCom pretty much the only CA offering free DV certs prior to Let's Encrypt? If they're planning to resume offering that or a similar service, that would certainly be a significant benefit to overall security of the web.
are there any real reasons why we don't have critical
name constraints to countries' TLDs?
The reasoning I've heard is that .cn users' security requirements aren't any lower than .com users' security requirements. i.e. if startcom/Qihoo360 aren't good enough to issue .com, they're not good enough to issue .cn
> Do they have a track record of making trusted CAs misissue certificates?
Probably not. Any CA missisuing certs intentionally (whether by government coercion or not) probably wouldn't remain trusted for long. So if the Chinese government is doing something like that, the public is certainly not aware of it, else there wouldn't be any Chinese CAs left that are still trusted.
That's the beauty of the trust store. The PKI might be a fucked up solution to our trust problem on the internet, but it puts enough pressure against governments to throw them away.
It depends on what you mean by "real security audits." If you want someone to audit your new crypto protocol, probably not. PwC is more about internal control / governance audits. They're making sure financial reporting is done correctly, segregation of duties are enforced within the organization, record retention policies are documented and enforced. Less technical, more organizational / meatspace. PwC is the sort of auditor that would find out that a company has a beneficial owner that's connected to a high ranking political figure in China... stuff like that. And I think they're pretty good at it.
> a.- StartCom is now a 100% Qihoo360 owned subordinate Company. Management has also changed.
> b.- There´re no StartCom employees working at any Wosign premises. StartCom has subcontracted Qihoo 360 for all PKI and development management.
> c.- StartCom acquired EJBCA PKI software from Primekey (CA, VA and TSA). There´s no in-house development for PKI
> d.- All StartCom servers are under Qihoo 360 premises in different locations, in China and US.
> e.- StartCom has developed a new CMS system and website, using a new language, PHP, from scratch.
They go to great lengths to make sure everything has changed and nothing is like it was before. Why not just take the final step and drop the (quite tainted) name "StartCom" and apply as Qihoo360 CA or whatever?
Qihoo360 isn't a reputable name either. Might be trying to avoid anybody who might recognise the name, and going for the "phoenix rises from the ashes" to reinvigorate StartCOM, whilst avoiding Qihoo360 from further tainting it in future.
> a.- StartCom is now a 100% Qihoo360 owned subordinate Company. Management has also changed.
> b.- There´re no StartCom employees working at any Wosign premises. StartCom has subcontracted Qihoo 360 for all PKI and development management.
This made me laugh, LoL.
For those don't know much about Qihoo 360, it's an infamously unethical company. Its flagship antivirus software behaved like a virus, which is very difficult for non-pro computer users to remove. It sneakily "deployed" its so called security guard software to many innocent users' computers meanwhile actually behaving like a backdoor, leaking user data not like a sieve, but a pipe. It's not uncommon to see a tip upon Windows startup telling things like "Your computer boots faster than 90% users in the country", tricking the users to take some "proudness" from it.
Don't just believe me, go check the Controversies section of its Wikipedia page [0], and do yourself some research. Say the previous StartCom owner China Unicom is an amateur hacker, then Qihoo 360 is a pro, but a much more evil one.
Is there an extension like Noscript, but for CA certificates? In the same way which Noscript blocks JavaScript by default, but allows me to gradually build a whitelist of domains which I agree to run JavaScript from, is there an extension which doesn't trust any of the included CAs by default, and allows me to gradually enable CA certificates over time, so that my trust store is composed mainly of easy-to-trust CAs like Let's Encrypt and doesn't include dodgy CAs operating out of China?
Not if you remove certs from your browser trust store. If I understand correctly a browser has no obligation to follow your OS trust store. If someone here knows, what browser actually trust OS certificates in addition to its own trust store?
Off topic, but because this is becoming a hobbyhorse of mine, from the Cure53 report:
In conclusion, it is evident that the time between the two rounds of testing and since the
assessment concluded was well-spent by the StartCom maintainers. The overall leap in the
state of security is considerable and very much praiseworthy. At present, the ultimate
improvement stems from solid dedication to fixing the reported problems appropriately and in a
manner that prevents recurrence. As two most important arguments, it can be noted that the
numbers of bugs decrease significantly and that the vast majority of the previously spotted
issues has been addressed correctly. The current tendency towards improvement can be read
as a good sign. With each passing month, dedication to security appears to grow and positively
affect the StartSSL compound.
This kind of language drives me crazy. I don't want to single out Cure53 here because I think a lot of firms deliver this kind of stuff. I know iSEC and Matasano did. But not only do I not believe that software security firms are really qualified, after spending a few weeks looking at a project, to evaluate the true quality standards of a dev team, but I also think it's an enormous conflict of interest.
It's not the assessor's job to determine whether StartCom is "praiseworthy" or whether their time was "well-spent" or even to provide a trend line. Their job is to find bugs, recommend fixes, and verify those fixes.
I'll go even further and say, I don't think software security firms should be writing these kinds of reports at all. Rather, they should authorize their clients to publish their technical reports, which should keep the editorializing dialed way down.
I did this kind of consulting work for over 10 years and I can confidently report that no matter what your standards and principles are, as an assessor you have a lot of wiggle room to report findings positively or negatively (or not at all). When the only audience for your report is your client, that doesn't matter so much, as long as you (1) found bugs and (2) they got fixed. But when the audience is the broader public, I think it matters a great deal how things are reported, and the safest way to do that is denuded of all subjectivity.
51 comments
[ 3.7 ms ] story [ 114 ms ] threadPersonally, not sure how I feel about this, I'll continue to remove startcom from FF if it's still included.
[0] https://bugzilla.mozilla.org/show_bug.cgi?id=994478 [1] https://blog.mozilla.org/security/2016/10/24/distrusting-new...
That's also my first reaction to startcom. Reading it however it seems they've come a long way since the removal.
I'm not sure if I will again trust this CA again - time will learn if they're still using sneaky practices. But they seem to be doing better now.
This means one vector of attack : Chinese government requesting google.com certificate from them, and MITMing it's citizen would not be possible. To any CT experts: is my assessment correct?
Two, while Google is presumably watching CT logs for google.com certificate issuances, I'm certainly not watching my personal website. I suspect most people aren't, so they could probably get away with issuing e.g. a shadowsocks.org certificate and have a few days of successful attack before anyone notices. This is probably not what you want for dragnet surveillance, but it's great for an attack against an individual (whether conducted by a government or just some private party).
So yes, the state of the world is quite a bit better than it was before CT, but adding CAs remains a risk. They're only worth adding if there's a reason to do it. (StartCom's free certificates used to be a really good reason.)
My point is that Startcom seemed decent until they were acquired by WoSign and started adopting their shady practices. If they are completely disentangled from WoSign, I might be willing to trust them again.
The way I feel about "trusted" certificate authorities that fell way short of the required standard: You had one job.
I think there is some benefit to maintaining a healthy ecosystem of multiple competing, independently operated CAs. The benefits of including StartCom are no different from that of any other CA in that regard.
Aside from that though, not much. Although... wasn't StartCom pretty much the only CA offering free DV certs prior to Let's Encrypt? If they're planning to resume offering that or a similar service, that would certainly be a significant benefit to overall security of the web.
Is PwC any good for real security audits?
> StartCom hired Cure53 as suggested by Mozilla
Does that mean the report will be public? That's what Cure53 tend to do.
> c.- StartCom acquired EJBCA PKI software from Primekey (CA, VA and TSA). There´s no in-house development for PKI
After acquisition it is now in-house...
> e.- StartCom has developed a new CMS system and website, using a new language, PHP, from scratch.
This sounds like they're in need of a real webapp audit
Another question: are there any real reasons why we don't have critical name constraints to countries' TLDs?
https://bugzilla.mozilla.org/attachment.cgi?id=8886970
I'm also curious as to how the Chinese government plays into all this. Do they have a track record of making trusted CAs misissue certificates?
Probably not. Any CA missisuing certs intentionally (whether by government coercion or not) probably wouldn't remain trusted for long. So if the Chinese government is doing something like that, the public is certainly not aware of it, else there wouldn't be any Chinese CAs left that are still trusted.
It depends on what you mean by "real security audits." If you want someone to audit your new crypto protocol, probably not. PwC is more about internal control / governance audits. They're making sure financial reporting is done correctly, segregation of duties are enforced within the organization, record retention policies are documented and enforced. Less technical, more organizational / meatspace. PwC is the sort of auditor that would find out that a company has a beneficial owner that's connected to a high ranking political figure in China... stuff like that. And I think they're pretty good at it.
http://www.webtrust.org/licensed-webtrust-practitioners-inte...
http://www.webtrust.org/homepage-documents/item54279.pdf
and say, a typical CPS
https://www.digicert.com/wp-content/uploads/2017/01/DigiCert...
They do an audit to check if all practices and procedures follow these guidelines.
I first parsed this differently, too, but I think they just bought some software for PKI services, not the software company.
> b.- There´re no StartCom employees working at any Wosign premises. StartCom has subcontracted Qihoo 360 for all PKI and development management.
> c.- StartCom acquired EJBCA PKI software from Primekey (CA, VA and TSA). There´s no in-house development for PKI
> d.- All StartCom servers are under Qihoo 360 premises in different locations, in China and US.
> e.- StartCom has developed a new CMS system and website, using a new language, PHP, from scratch.
They go to great lengths to make sure everything has changed and nothing is like it was before. Why not just take the final step and drop the (quite tainted) name "StartCom" and apply as Qihoo360 CA or whatever?
> b.- There´re no StartCom employees working at any Wosign premises. StartCom has subcontracted Qihoo 360 for all PKI and development management.
This made me laugh, LoL.
For those don't know much about Qihoo 360, it's an infamously unethical company. Its flagship antivirus software behaved like a virus, which is very difficult for non-pro computer users to remove. It sneakily "deployed" its so called security guard software to many innocent users' computers meanwhile actually behaving like a backdoor, leaking user data not like a sieve, but a pipe. It's not uncommon to see a tip upon Windows startup telling things like "Your computer boots faster than 90% users in the country", tricking the users to take some "proudness" from it.
Don't just believe me, go check the Controversies section of its Wikipedia page [0], and do yourself some research. Say the previous StartCom owner China Unicom is an amateur hacker, then Qihoo 360 is a pro, but a much more evil one.
[0] https://en.wikipedia.org/wiki/Qihoo_360#Controversies
In conclusion, it is evident that the time between the two rounds of testing and since the assessment concluded was well-spent by the StartCom maintainers. The overall leap in the state of security is considerable and very much praiseworthy. At present, the ultimate improvement stems from solid dedication to fixing the reported problems appropriately and in a manner that prevents recurrence. As two most important arguments, it can be noted that the numbers of bugs decrease significantly and that the vast majority of the previously spotted issues has been addressed correctly. The current tendency towards improvement can be read as a good sign. With each passing month, dedication to security appears to grow and positively affect the StartSSL compound.
This kind of language drives me crazy. I don't want to single out Cure53 here because I think a lot of firms deliver this kind of stuff. I know iSEC and Matasano did. But not only do I not believe that software security firms are really qualified, after spending a few weeks looking at a project, to evaluate the true quality standards of a dev team, but I also think it's an enormous conflict of interest.
It's not the assessor's job to determine whether StartCom is "praiseworthy" or whether their time was "well-spent" or even to provide a trend line. Their job is to find bugs, recommend fixes, and verify those fixes.
I'll go even further and say, I don't think software security firms should be writing these kinds of reports at all. Rather, they should authorize their clients to publish their technical reports, which should keep the editorializing dialed way down.
I did this kind of consulting work for over 10 years and I can confidently report that no matter what your standards and principles are, as an assessor you have a lot of wiggle room to report findings positively or negatively (or not at all). When the only audience for your report is your client, that doesn't matter so much, as long as you (1) found bugs and (2) they got fixed. But when the audience is the broader public, I think it matters a great deal how things are reported, and the safest way to do that is denuded of all subjectivity.