Unless they registered those domains to "reserve" them for LetsEncrypt (haha right?), this is pretty blatantly deceptive, or at least they planned to be. Then again not exactly the worst thing they've done in the world of SSL.
> Unless they registered those domains to "reserve" them for LetsEncrypt (haha right?)
Which is exactly what WoSign say they did in that same comment thread after noticing that LetsEncrypt didn't register the Chinese domain names themselves.
They also offer to transfer them to LetsEncrypt at no cost.
This is so blatantly abusive that wosign and startcom needs to be pulled from all trusted root CA stores immediately. If their SSL cert clients' websites break, so be it. This is outright malicious behavior.
The internet engineering community would come down like a ton of bricks if somebody registered ripe.cn and decided to impersonate RIPE. Same principle.
For anyone who doesn't know the backstory on this already: WoSign (and, after WoSign quietly acquired it, StartCom) were distrusted by Mozilla for mismanagement ranging from backdating certificate to bypass crypto requirements to accidentally mis-issuing certificates.
It is unlikely that WoSign or any CA run by WoSign will ever fully compatible with browsers in the future.
Existing certs (those with a notBefore date before Oct 21 [0]) are still trusted by Firefox. New certificates are not.
(WoSign could theoretically backdate the notBefore date on new certs to make them look like existing certs, but Mozilla have said that if they catch WoSign doing this they'll distrust their root totally.)
Other browsers are taking similar measures, but I'm not sure on the details.
Apple are trusting certs WoSign published to Certifitcate transparency server before September [0] and StartCom certs with an notbefore dates of December [1]
It looks like WoSign is already back at it, reselling certs from another CA. I understand someone else is doing the issuing, but I'd hoped that they would die a quick death, not hang on bitterly: https://groups.google.com/forum/#!topic/mozilla.dev.security...
Has anyone else noticed that Richard Wang has replied on both this linked to thread, and the parent thread now. I thought I had read that he had stepped down as the WoSign CEO?
fyi, it looks like this may be overblown. Richard Wang, the person who registered the .cn domains, posted this in the thread:
---------------------------
I wish everyone can talk about this case friendly and equally.
It is very common that everyone can register any domain based on the first come and first service rule.
We know Let's Encrypt is released after the public announcement, but two day later, its .cn domain is still not registered, I think maybe it is caused by the strict registration rule in China, so I registered it for protection that not registered by Cornbug.
We don’t use those domains for any WoSign's services that we provide similar service: https://pki.click/index_En.htm (SSL Wizard, StartEncrypt)
Now, if Mozilla or Let’s Encrypt contact me officially and request to transfer the two domains to them, no any problem, we can transfer to them for FREE!
But please notice that this arrangement is for friendship, not for others ......
If he registered the domains to 'protect' them he should have contacted LE immediately afterwards to arrange the transfer. Not wait until the world finds out. It's easy to use that form of reasoning ("I only did it for protection") after others find out. But is such a person trustworthy? I have my doubts.
In case anyone is wondering, "Cornbug" is a direct translation of 玉米虫 which in Chinese has the meaning of "domain squatter" in addition to the literal meaning.
This could develop further. Reminds me of TOM Skype: Chinese users are redirected from skype.com to the chinese-characteristics website skype.tom.com which serves a censorship-enabled version of skype, see https://en.greatfire.org/blog/2013/nov/tom-skype-dead-long-l...
Well this is a collaboration b/t Skype and TOM.com. Skype has to do it b/c they don't have license to operate in China. My skype account was registered in China and I have to prove I'm not in China anymore to remove the association..
+1 wrt to the twit conversations. Leo & Steve Gibson on Security Now have regularly spoken about wosign, and it's the primary reason why my antenna immediately perked up when I saw the headline.
As a general note, the content on the TWiT network is superb. I love the great ethics conversations that are had on TWiG (This Week in Google). I've loved listening to the "coming out of the wilderness" progression of Mary Jo Foley & Paul Thurrott with regards to Microsoft on Windows Weekly. And Security Now is my guilty educational pleasure, as its greatly expanded my knowledge of security issues and topics, which have served me well over the past few years.
The part about taking pictures of stones and his current venture at the end are less appealing to me but the discussion about the early days of Apple, and generally his view on technology is really interesting. There is a long part about AI.
The only podcast I listened to for years with any consistency was FLOSS Weekly. This later exposed me Security Now, This Week in Enterprise Tech (TWiET on the set! I love the catch phrase), This Week in Law (which zero of my law school and lawyers friends address when I send them good episodes), and recently Triangulation.
In the new era of Software Engineering Daily and Changelog, as I see Leo Laporte as the godfather of podcasting. I disagree with a lot he has to say, but I respect him greatly and dream of meeting him one day. He is one of my heros.
And Leo: I use Emacs, and no so much Perl. I have nothing to interview for, but I can answer to your favorite question with at least half of your favorite answer, if you read this somehow!
Steve Gibson will go into levels of detail that amaze me. The podcast on Rowhammer is a perfect example - down to the minute details of how VMs store memory pages...
Mozilla stated that they will not distrust certs issued with notBefore till December, so theoretically this cert is good
for as long as it's still valid, only after that they need to worry.
It's really difficult to understand why anyone would want to do this. Unless they were working with Let's Encrypt directly I really don't see how this could ever be acceptable.
Why would anyone do such an obviously bad thing and slap their company information in the whois?
What's the motivation though? It doesn't seem like they've really ever used the domain. Right now this all just seems utterly pointless and stupid on their part, but I guess that's really nothing new.
To me, the most obvious motivation for registering the domain would be to basically make a domain squat. Redirect anyone visiting "letsencrypt.cn" to their own, similarly named (and now defunct as far as I know) service "StartEncrypt" [1]. Like any other domain squat, it would probably allow them to profit to some degree from the buzz Let's Encrypt was generating.
A "win at all costs" mentality, "winning" being defined as "whatever I feel like doing." You see a lot of this trait in the criminal justice system, if you've never been through it.
As a frequent user of the Chinternet, a .cn counterpart of a famous project is an alarm sign of non-affiliated copy of the original project or simply just someone wants to build a Chinese version (still not affiliated) community for that project.
After all these dramas with .cn, a wary user should reject .cn on the first sight. Too sad for Chinese/Non-technical users, as they have no choice. There's nothing can be done about the situation.
The documentation recommends using a cron job[0] - the renew subcommand will renew all certificates you have in plenty of time automatically. Set it to run once a week or so, and it'll figure out what to renew and when.
I've been using certbot to automatically update my cert for about a year now with cron. It automatically checks the cert's expiration date and starts trying to renew a couple of weeks before it runs out, and for nginx at least you don't even have to reload.
During last-chance negotiations with Mozilla, they claimed he was stepping down immediately. However, Mozilla moved against them anyway, so presumably they immediately went back on that pledge once it became clear that it wasn't helping. Apart from the time of the negotiations, there haven't been any other claims that he had stepped down as far as I know.
This is how these sort of attacks have always worked. Get something that's just close enough so that it passes the glance attack. If someone doesn't notice anything in the first few seconds, you've done half your work right there.
What is going to happen in a quick glance? Including a CA in a browser is an extremely long and drawn out processing involving third party audits and many other things costing hundreds of thousands of dollars. There is zero chance that no one along that whole process will notice that the TLD is actually .cn .
Obviously, but that's not the concern. The concern is that someone would visit letsencrypt.cn and end up getting a certificate from a provider that is not Let's Encrypt without really understanding that. Imagine a busy, non-SSL-expert user who just hears "Let's Encrypt is good, you should use it".
Since the domains aren't being used, we can't say what the intention was, but it's being judged as part of a pattern of behavior by Wosign.
Actually many customers let the CA generate the private key and copy it onto their servers, but that's not the point.
It's a trust problem because of the pattern of this particular CA. Whether you call that a security problem or not is semantics. If not for the existing pattern of behavior, people would be a little more willing to look charitably on this as an honest mistake or trying to help, but given the history the assumption of good faith has been considerably weakened.
> It seams that wosign has registered the domains letsencrypt.cn and letsencrypt.com.cn in 2014 after the public announce of Let's Encrypt.
And here's the whois record:
Unless they registered those domains to "reserve" them for LetsEncrypt (haha right?), this is pretty blatantly deceptive, or at least they planned to be. Then again not exactly the worst thing they've done in the world of SSL.