Description: Currently LibreOffice as well as its website using certificate by StartCom, but this CA have been bought secrectly by WoSign, both of them have been found something uncomfortable. Steps to Reproduce: Both these CAs have been found written wrong date within their certificates by Gervase Markham, and since StartCom have been bought secrectly by WoSign, it was being doubt do something bad with shareholder. Actual Results: It is harmful to LibreOffice. If StartCom have made a serious secrity issue due to its root certificate, it may also affect LibreOffice, someone can use this issue to make something such as MIIT to make LO unsafe. Expected Results: LO and TDF should avoid using this certificate and replace it. Source: https://program-think.blogspot.com/2016/09/About-WoSign.html Reproducible: Always User Profile Reset: No Additional Info: User-Agent: Mozilla/5.0 (Android 4.3; Mobile; rv:49.0) Gecko/49.0 Firefox/49.0
Yes -> NEW
Discussion on Mozilla security list: https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/1XI3Y7PJ1Uc
Mozilla have published a report on this: https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/preview# And they intended to not trusted StartCom and WoSign. I think this should be paying attention by not only LibreOffice developers but also the whole TDF members.
This was discussed at the most recent ESC meeting: https://lists.freedesktop.org/archives/libreoffice/2016-October/075584.html
(In reply to Aron Budea from comment #4) > This was discussed at the most recent ESC meeting: > https://lists.freedesktop.org/archives/libreoffice/2016-October/075584.html Good, I hope you can take action soon.
Mozilla announced they started distrusting WoSign and StartCom certificates, that would affect your website. https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
(In reply to General Kutuzov from comment #5) > (In reply to Aron Budea from comment #4) > > This was discussed at the most recent ESC meeting: > > https://lists.freedesktop.org/archives/libreoffice/2016-October/075584.html > > Good, I hope you can take action soon. Notice, TDF won't take action until their certs expire, UNLESS this scenario plays out: "If additional back-dating is discovered (by any means) to circumvent this control, then Mozilla will immediately and permanently revoke trust in the affected roots." Then they obviously have to take action.
Google Chrome have already take action since 56.0.
I have noticed that some Chinese netizen trend to banning the who certs by StartCom and WoSign. On this topic I found the following comments: https://www.v2ex.com/t/317082 等不到 56 了,已经自己手动全拉黑了 Don't waiting for (Chrome) 56.o, (I am) already banned all of them by myself 一样,用的那个 RevokeChinaCerts 脚本 The same as me, uses RevokeChinaCerts script Later I found a script "RevokeChinaCerts" at GitHub https://github.com/chengr28/RevokeChinaCerts This tool can be used to revoke the whole certificates published from PR China, I found StartCom and its shareholder is included in there. If you use it, you will failed to install LibreOffice on Windows. To avoid that, I guess LO should resigned the package without StartCom.
Recently Mozilla, Google and Apple decided not trust StartCom and WoSign, and RevokeChinaCerts script also cause Windows prevent install LibreOffice. To avoid that, I guess getting a new certificate from Let's Encrypt.
(In reply to Volga from comment #10) > Recently Mozilla, Google and Apple decided not trust StartCom and WoSign, > and RevokeChinaCerts script also cause Windows prevent install LibreOffice. > To avoid that, I guess getting a new certificate from Let's Encrypt. Here is a ticket for the web stuff: https://redmine.documentfoundation.org/issues/2115
(In reply to Buovjaga from comment #11) > (In reply to Volga from comment #10) > > Recently Mozilla, Google and Apple decided not trust StartCom and WoSign, > > and RevokeChinaCerts script also cause Windows prevent install LibreOffice. > > To avoid that, I guess getting a new certificate from Let's Encrypt. > > Here is a ticket for the web stuff: > https://redmine.documentfoundation.org/issues/2115 OK, I can see the effect now, but the binariy distributions (as in http://dev-builds.libreoffice.org/pre-releases/win/x86_64/) still using this cert.