Will Pale Moon distrust WoSign certs?

General discussion area and chat

Moderator: satrow

Forum rules
This General Discussions forum is an open chat area, so you can talk about almost any subject. Please keep things civil, though!

Please do try to somewhat stick to the relevance of this forum, which focuses on everything around the Pale Moon project and its user community. "Totally random" subjects don't really belong here, even in the general discussion area.
Walter Dnes
Astronaut
Astronaut
Posts: 569
Joined: Thu, 30 Jul 2015, 20:29
Location: Vaughan, ON, Canada

Will Pale Moon distrust WoSign certs?

Unread postby Walter Dnes » Tue, 11 Jul 2017, 09:16

From http://www.zdnet.com/article/google-gui ... -startcom/

Google has warned that all certificates issued by Chinese company WoSign and subsidiary StartCom will be distrusted with the release of Chrome 61.

According to a Google Groups post published by Chrome security engineer Devon O'Brien, due to "several incidents" involving the certificate authority which have "not [been] in keeping with the high standards expected of CAs," Google Chrome has already begun phasing out WoSign and StartCom by only trusting certificates issued prior to October 21, 2016.
There's a right way
There's a wrong way
And then there's my way

User avatar
Fedor2
Astronaut
Astronaut
Posts: 558
Joined: Mon, 11 Apr 2016, 01:26

Re: Will Pale Moon distrust WoSign certs?

Unread postby Fedor2 » Tue, 11 Jul 2017, 11:06

Why we should follow google at all? I rather distrust them.
And i'm interesting what will be affected if you block thats certs? Anyway you can do this yourself in Pale moon in the certificate settings.

User avatar
adesh
Astronaut
Astronaut
Posts: 569
Joined: Tue, 06 Jun 2017, 07:38

Re: Will Pale Moon distrust WoSign certs?

Unread postby adesh » Tue, 11 Jul 2017, 11:51

Looks like WoSign certainly has issues. Mozilla too is not happy about this.
https://blog.mozilla.org/security/2016/ ... tificates/

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 22406
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: Will Pale Moon distrust WoSign certs?

Unread postby Moonchild » Tue, 11 Jul 2017, 11:55

I'm not getting involved in these politics. Their (Mozilla's) own little baby (Let's Encrypt) is much worse in terms of CA practices, so they should look in their own back yard first.

Also, one reason this is clearly a political move is how the only free SSL issuer of a similar accessibility to Let's Encrypt (Startcom) has been taken as collateral, despite them being immediately separated and doing everything they can to follow CA rules and regulations. StartCOM IMO has done nothing wrong. I happen to be involved there because it has been our code signing and SSL provider for years.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne

user108
New to the forum
New to the forum
Posts: 2
Joined: Fri, 14 Jul 2017, 22:24

Re: Will Pale Moon distrust WoSign certs?

Unread postby user108 » Fri, 14 Jul 2017, 22:30

Google is following suit. http://thehackernews.com/2017/07/chrome-certificate-authority.html

If anyone is concerned you can manually remove WoSign & Startcom via the Certificate Manager (Preferences > Advanced > Certificates > View Certificates > Authorities)

dark_moon

Re: Will Pale Moon distrust WoSign certs?

Unread postby dark_moon » Sat, 15 Jul 2017, 16:04

I follow Moonchilds way. All CA have in the past problems, but only WoSign or Symantec.
You get a lot of problems if you disallow them.

As Moonchild say, the only CA we should stop using is LetsEncrypt. Now they add wildcard domains...what a security mess :thumbdown:

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 22406
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: Will Pale Moon distrust WoSign certs?

Unread postby Moonchild » Sat, 15 Jul 2017, 20:49

A recent issue supported by let's Encrypt's crap CA practices: I bought something for a specialized t-shirt shop in the past. Recently, a different company copied their website under a very similar sounding name, after having bought or scraped past customer e-mail addresses (most likely it's been (through) their Chinese distributor that they were having issues with getting shirts actually delivered that were ordered), copied their products into it, and then sent out mass e-mail to past customers pretending to be the original company. Their website was, you guessed it, SSL-enabled with Let's Encrypt. With how LE won't revoke any certificates, it means that the cert will be valid and active for the full 3 months and there's nothing the original company can do about it except sending e-mail out to their past customers warning about the fraud, which they have. in 3 months, the shell company will have had a bunch of orders that were paid without fulfilling them, and probably will have people lose their money to it.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne

testator777
Hobby Astronomer
Hobby Astronomer
Posts: 28
Joined: Mon, 09 Jan 2017, 02:49

Re: Will Pale Moon distrust WoSign certs?

Unread postby testator777 » Sat, 15 Jul 2017, 22:58

Moonchild wrote:StartCOM IMO has done nothing wrong. I happen to be involved there because it has been our code signing and SSL provider for years.

Off-topic:
Interesting because I thought you used COMODO CA. Or atleast my connection to forums.palemoon.org and palemoon.org does.
SHA1 COMODO certificate for forums.palemoon.org
64:AB:72:A7:10:7B:B7:81:93:84:1D:7E:4B:86:F7:1D:66:DC:A6:D4

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 22406
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: Will Pale Moon distrust WoSign certs?

Unread postby Moonchild » Sun, 16 Jul 2017, 08:26

I've switched our https server certificates to Comodo for the time being, because otherwise people using the affected browsers with distrusted certificates won't be able to visit the forum or website. Yes, it was an extra expense to get the certificate.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne


Return to “General discussion”

Who is online

Users browsing this forum: m4meganfox and 7 guests