Why WoSign and StartCom Bad SSL Certificate Are an Issue

Featured article by Arian Evans, VP of Product Strategy at RiskIQ

If your organization has any website or web application presence on the internet, there’s a chance that you’re using SSL certificates from Certificate Authorities WoSign and Startcom. But as a CISO or security leader, the news that Mozilla, the world’s second most popular browser, cited “technical and management failures” on behalf of WoSign in its decision to distrust future certificates chaining up to the currently-included WoSign and StartCom root certificates, should spur some InfoSec introspection. You may be facing unseen escalated levels of digital risk and may need to take action.

Essentially, the security industry agreed several years ago that SHA-1 is becoming risky to use for SSL certificates, and set a deadline of January 1st, 2016 for the industry to stop issuing SSL certs that use it. The most immediate business impact will be an alarming “Secure Connection Failed” browser warnings when people visit a website using these certs, which can have damaging effects on customer confidence and potentially steer millions of end-users clear of it. The primary risks associated with these weak SSL certs are that threat actors are able to, at a minimum – decrypt and read all of the SSL traffic for a website using one of these certs including passwords, bank account & credit card numbers, etc.. Sophisticated adversaries could insert themselves into the middle of your SSL session, and manipulate or even impersonate your actions. We discussed additional technical threats and their feasibility in a recent RiskIQ Labs blog post.”

According to Mozilla, WoSign, which has acquired full ownership of Startcom, simply ignored this deadline and continued to issue SHA-1 SSL certs to customers that were made to look valid by back-dating them, i.e., faking the date of issuance. In response, if organizations receive a certificate from WoSign or Startcom after October 21, 2016, it will not validate in Mozilla products such as Firefox 51 and later, putting your website, web application—and your customers at risk. Other major companies such as Apple and Google, are piling on; Google plans to reject new digital certificates issued by WoSign and StartCom effective in Chrome version 56.

Once WoSign was forced to come clean, the answer they provided isn’t much of answer. The number of mistakes and poor judgment calls made at WoSign disclosed in this advisory make it look like Hanlon’s Razor may have been in effect there for some time.

How many WoSign and Startcom certs are in your environment? RiskIQ’s current global index shows 762,649 websites using Certificates belonging to the two CAs, but many organizations aren’t even aware that they could very easily be a victim of this negligence.

This issue only adds to the growing list of challenges for security teams caused by the increasing decentralization and global distribution of business applications. Business has moved closer to the bad guys on the Internet, and traditional inline security controls lack visibility into vulnerabilities in assets that may not traverse your network.

RiskIQ performed a quantitative assessment of the threats facing banks via survey in April 2015 of the websites, web assets,  and mobile apps associated with each of the top 35 banks and financial service firms to check for potential security issues and weaknesses. We found that 61% of the of the 260,000 surveyed web assets were stored—potentially unsecured—on external servers outside of IT department control. Only 39% of web assets were hosted on the bank’s main web ASN where they are more easily secured and audited.

In fact, 97% of the bank websites—many of which the organization was completely unaware of—had a minimum of 13 broken SSL certs with 54% having more than 100, and with roughly twice as many errors on sites hosted on outside ASNs. Broken SSL certs allow attackers to perform man-in-the-middle attacks and fail to prevent domain squatters from hijacking known URLs to redirect unsuspecting users to their pharming websites.

Organizations face more pressure than ever to discover how to do business safely and reliably in a world full of danger beyond the firewall. That means they must be able to keep track of this internet data in real-time and maintains an index of SSL Certificates exposed to the Internet, including those from Startcom and WoSign. But Information Security teams that have a dynamic, real-time view of their organization’s attack surface across digital channels will be able to transact business over the Internet in a secure, predictable fashion and have the metrics to prove it.

Arian Evans, VP of Product Strategy at RiskIQ