Free Chinese certificates: yay or nay?
#1
The previous thread relating WoSign got censored out by the creator/closed and I felt like we could have a bigger discussion on whether using this CA is safe or not for personal servers or even production depending on what you do and what level of safety you need I decided to post another thread about it.

You can get one just like mine on: https://buy.wosign.com/free/

For the time being I would like to report that my SSL score using ssllabs and WoSign with their free Chinese language certificates instead of English ones to add a little extra spice to it is:
[Image: BGdKokm.png]

This is the state of my server:
  • Forced SSL only with 301 redirects on http://domain, http://IP and https://IP to the main domain 
  • spdy/3.1 and fallback to http/1.1 on NGINX/1.8.0
  • Three certification paths from the three certificates sent by the server running a certificate bundle ending up to "In trust store" by: CA 沃通根证书(SHA256withRSA), StartCom Certification Authority (SHA256withRSA) and StartCom Certification Authority (SHA1withRSA)
  • Secure Renegotiation: Supported
  • Downgrade attack prevention: Yes, TLS_FALLBACK_SCSV supported
  • Forward Secrecy: Yes (with most browsers) ROBUST
  • OCSP stapling: Yes
  • Strict Transport Security (HSTS): Yes (max-age=31536000; includeSubDomains; preload)
  • Public Key Pinning (HPKP): Yes
  • Session resumption (caching) and Session resumption (tickets) also yes...
You probably get my point by now. I have submitted a certificate signing request (CSR) to them so they have no access to my .key, I take advantage of OCSP stapling so my visitors don't have to make a connection to their Chinese OCSP servers to check my validity but instead get the reply directly from my webserver. This should be used often, or you should be aware that you are hitting up your own CA multiple times if you have a popular site without enabling OCSP stapling. If you force your clients to connect to the Chinese OCSP server you are not only slowing down their browsing time significantly by latency but also putting their privacy at risk!

Would anyone want to comment on my set-up and whether you think it's safe enough to use or would I still be spied on by the Chinese government using this certificate? It's your choice but I think it's safe enough for my private use unless of course you think my government is going to try decrypt the traffic I have to my server?
#2
It's atleast a lot better than CloudFlare MITM SSL and with OSCP stapling and public key pinning it is very secure and can be used for things other than gaining SEO points for Google because they prefer SSL (like with CloudFlare Happywide).

Can you make a guide for the secure setup you made? This would be a goos thing to have to make proper use of the free certificates. Thanks!


You can mention their name and site. The previous thread was censored the OP himself after some heavy privacy discussion but back then no one thought of the proper setup and generating a CSR offline to keep the key safe and etc..
#3
(2015-09-06, 6:17:21 pm)Hidden Refuge Wrote:  It's atleast a lot better than CloudFlare MITM SSL and with OSCP stapling and public key pinning it is very secure and can be used for things other than gaining SEO points for Google because they prefer SSL (like with CloudFlare Happywide).

Can you make a guide for the secure setup you made? This would be a goos thing to have to make proper use of the free certificates. Thanks!


You can mention their name and site. The previous thread was censored the OP himself after some heavy privacy discussion but back then no one thought of the proper setup and generating a CSR offline to keep the key safe and etc..

Thank you for the information. I have updated my thread to now contain the company.
I will consider making a tutorial for it if people are interested about doing the same set-up as mine, let's first see how this conversation turns out Smile
#4
I guess one more thing you could do as a security measure is to block the IPs and domains of WoSign OSCP servers on your server. This way they won't be able to connect to your server at all which would be required atleast to exchange information. I guess together with your own OSCP stapling reports and key pinning this is a pretty secure setup.

Actually I think with that setup it can be trusted a lot more than without it. After all it's just StartSSL at the very top. The guys from there are totally ok even if they are very strict about registrations and verification and so on. Even the Chinese CNNIC is in the trusted storage of SSL certificates these days.
#5
Just to remind you, a discussion about wosign has been posted here. It's closed for further discussion, but this "advertisement" is allowed?
Thank you FreeVPS and ZXPlay for VPS 7 and 19

[Image: show_img.php?userid=17170&vpscount=2]


Don't PM me for support, use an appropriate forum to ask for support
#6
The old topic was censored by the person that started it because of the privacy discussion (not a real reason to censor it or delete it) and the person also requested it to be closed. This topic is fine given it has a lot of different and new aspects in terms of fixing privacy concerns with WoSign.

I hope Erno will make a guide here.
#7
My reasoning behind this was because a lot of members were opposed to WoSign.
Therefore, I removed the content.

If it'd be too much to ask, I'd like it to be re-opened -- WoSign is only allowing 10 domains now.
"That but this blow
Might be the be-all and the end-all here,
But here, upon this bank and shoal of time,
We'ld jump the life to come."

-- William Shakespeare

Rest in peace, FreeVPS. The forum will be sorely missed.

My website } { GitHub } { Contact me: andrew@andrew-hong.me }

#8
I also have SSL certificates for my domains from WoSign. It's good so far it is free. I don't have complains with them.
#9
(2015-09-07, 5:47:19 am)TimeRider Wrote:  I also have SSL certificates for my domains from WoSign. It's good so far it is free. I don't have complains with them.

Does it supported under Windows XP and older Internet Explorers?
#10
(2015-09-07, 7:46:07 am)HXY Wrote:  Does it supported under Windows XP and older Internet Explorers?

Yes, it supports older Internet Explorer versions and Windows XP and Windows versions below if you choose to sign your certificate with the SHA1 algorithm.

You should upgrade ASAP!

SHA1 is defunct and obsolete and therefore unsupported soon. SHA1 certificates are already shown as problematic in modern browsers and soon people won't even be able to access sites using SHA1 certificates (well, that's far away in 2017). In 2016 however you will see warning sites like you'd would visit a website with a untrusted SSL certificate.

So if you use Windows XP get SP3 and stop using IE! Then you can get a SHA2 (SHA256) certificate.

Please read https://community.qualys.com/blogs/secur...ed-to-know




Users browsing this thread: 1 Guest(s)