Stories with similar links:
- SFTPGo: a Golang performance story and some questions via inactive-user 3 years ago | 7 points | no comments
- Racket2 possibilities via inactive-user 4 years ago | 20 points | 9 comments
- PostScript and Interpress: a comparison (1985) via zge 4 years ago | 4 points | no comments
- Origins of the finger command via calvin 5 years ago | 21 points | no comments
- The NetHack DevTeam is happy to announce the release of NetHack 3.6.1 via intercal 5 years ago | 21 points | 5 comments
- CVE-2017-17482: OpenVMS Security Notice for local privilege escalation via dege 5 years ago | 4 points | no comments
- Eve (programming language) is winding down via roryokane 5 years ago | 45 points | 12 comments
- Go 1.10 Beta 1 is released via av 5 years ago | 6 points | no comments
- Termination of the certificates business of Startcom via calvin 5 years ago | 20 points | 1 comment
- A new Common Lisp compiler/interpreter in Prolog via rogersm 5 years ago | 11 points | 2 comments
- Faster blame on hg.mozilla.org (2016) via JordiGH 5 years ago | 4 points | no comments
- Sequel 5.0.0 Released authored by jeremyevans 6 years ago | 13 points | 1 comment
- First Language (1998) via yumaikas 6 years ago | 1 point | no comments
- Redis 4.0.0 GA via fs111 6 years ago | 12 points | 1 comment
- mblaze 0.1, a Maildir-focused command line mail client via duncaen 6 years ago | 23 points | 1 comment
- Concerns about Kubernetes Community newcomers via devth 6 years ago | 2 points | 1 comment
- Shen has been ported to C via bsima 6 years ago | 3 points | no comments
- Vitaly Slobodin steps down as PhantomJS maintainer because of headless Chrome via koehr 6 years ago | 3 points | 2 comments
- Symantec again caught issuing suspicious certificates, this time for example.com via kb 6 years ago | 15 points | 1 comment
- Ansible: New RCs for Security Bug CVE-2016-9587 via ChrisShort 6 years ago | 1 point | no comments
- Mercurial 4.0 Sprint Notes via ngoldbaum 6 years ago | 14 points | 3 comments
- Happy 25th birthday Linux via mjturner 7 years ago | 7 points | 1 comment
- Incidents involving the CA WoSign via lattera 7 years ago | 16 points | 2 comments
- Vim 8.0 pre-announcement via romanzolotarev 7 years ago | 21 points | 7 comments
- Buford v0.7.0 Apple Push Notifications for Go 1.6 and HTTP/2 authored by nathany 7 years ago | 2 points | no comments
- Go 1.7 Beta 1 released via inactive-user 7 years ago | 12 points | no comments
- Linus hacks fsck to recover deleted files (1993) via pushcx 7 years ago | 2 points | no comments
- Alpha release of Servo to be released in June via ane 7 years ago | 29 points | 7 comments
- Git integrity via effdee 7 years ago | 28 points | 2 comments
- Multiple Ruby on Rails vulnerabilities via jasper 7 years ago | 3 points | 1 comment
- Go 1.5.3 is released via luiz 7 years ago | 8 points | no comments
- Go 1.6 Beta 1 is released via nathany 7 years ago | 12 points | 2 comments
- Phoenix 1.1 Released via bratsche 7 years ago | 19 points | no comments
- Go 1.5.2 is released via nathany 7 years ago | 9 points | 5 comments
- Standardising racket's threading macros via zem 7 years ago | 6 points | no comments
- Password Hashing Competition Winner: Argon2 via jcs 8 years ago | 15 points | no comments
- What is a closure? via rubenbarroso 8 years ago | 7 points | no comments
- Linux futex_wait bug via SeanTAllen 8 years ago | 12 points | no comments
- JMH vs Caliper reference thread (JVM micro-benchmarking) via tobym 8 years ago | 4 points | no comments
- [release] Redis 3.0.0 is out. via joshuacc 8 years ago | 10 points | 3 comments
- Golang team is discussing a builtin solution for dependency management via kb 8 years ago | 23 points | 16 comments
- The RabbitMQ Team is Hiring - Remote Workers Accepted via old_sound 8 years ago | 2 points | no comments
- Go 1.4.1 Released via mreedell 8 years ago | 8 points | no comments
- comment on adding conditionals to configuration languages via stuntgoat 8 years ago | 1 point | no comments
- Choosing hardware to minimize latency via tobym 8 years ago | 3 points | no comments
- Rack, Change of Maintainer & Status via pushcx 9 years ago | 1 point | no comments
- Play 2.3.0 Is Released via kellogh 9 years ago | 1 point | no comments
- goroutines management via pyk 9 years ago | 1 point | no comments
- Rails Directory Traversal Vulnerability With Certain Route Configurations (CVE-2014-0130) via jcs 9 years ago | 1 point | no comments
- Proposal to remove StartCom from Mozilla CA truststore via hdevalence 9 years ago | 8 points | no comments
- A Simple Run Time Comparison Of AWKs Running A Genetic Algorithm via kmatt 9 years ago | 4 points | no comments
- Dotty open-sourced, research platform for new language concepts and compiler technologies for Scala via tobym 9 years ago | 9 points | 1 comment
- RubySec Summary of CVE-2013-6393 aka "you're probably vulnerable" via jcs 9 years ago | 3 points | no comments
- GHC (the standard Haskell compiler) gets first class iOS support via rbxbx 10 years ago | 5 points | no comments
- Play Framework - async by default via tobym 10 years ago | 2 points | no comments
- Multiple vulnerabilities in parameter parsing in Action Pack (Rails) (CVE-2013-0156) via jcs 10 years ago | 5 points | 1 comment
- golang-weekly issue #4 via nilmethod 11 years ago | 3 points | no comments
- Android 4.1 source code released via lynge 11 years ago | 4 points | 2 comments
So Apple, in light of the incidents with WoSign, has made a giant whitelist of all of the WoSign and StartCom certificates in the certificate transparency logs as of the 19th of September. That list of certificates will be trusted, but any not in CT logs nor the root certificates from StartCom will be trusted. A more extreme response than Mozilla’s.
Apple’s statement only talks about WoSIgn certificates; they haven’t announced anything about StartCom (yet). As for comparisons between Mozilla’s response and Apple’s response, it’s hard, because the two are in different situations since Apple apparently never explicitly included WoSign’s root CA certificates. Apple is clearly distrusting WoSign somewhat more right now, since they’ve basically said ‘we don’t trust your issued dates here’, but they haven’t said outright that they’d block a future WoSign intermediate root certificate that was cross-signed by StartCom (although they probably would).
Mozilla’s actions are more extreme in that Mozilla is explicitly distrusting future StartCom certificates as well, and slightly less extreme in that (currently) they are trusting certificate issue dates for WoSign and StartCom certificates instead of taking a snapshot of the CT logs and only trusting that. Note that Mozilla’s one year timeout is a minimum; trusting future WoSign and StartCom certificates after that year is contingent on WoSign passing a bunch of relatively stringent checks. In one view, Apple has kept their options open by not saying anything about what they might do in the future while Mozilla has somewhat tied their hands.
Mozilla haven’t committed to their proposed plan yet. They’re meeting with reps from Qihoo 360 (which owns WoSign) in a few days, before a final decision is made.
FTA
Do the StartCom certs chain up to this intermediate? If so this would be a big sanction from Apple. If not, and it’s just whacking a Chinese intermediate, meh.
I believe they do, but I don’t have an Apple device on hand to check. Either that or it’s vice versa and that certificate is the one cross-signed by StartCom.
My understanding, based on what Apple wrote here (and what I’ve read elsewhere), is that StartCom certs do not chain up to this intermediate; they chain directly to StartCom’s own intermediate and CA certificates, as you’d expect for a company that was independent until WoSign bought them out. WoSign’s own root CA certificates were apparently never in Apple’s CA list, so this cross-signing was the only way WoSign had to get their certificates trusted by Apple products.