WoSign: Free two-year multi-domain SSL certificate

They might&#x27;ve passed the WebTrust audit, but I&#x27;m still pretty worried about their security posture.<p>Remember, unless you&#x27;re pinning your certificate using DNSSEC+DANE or HPKP, in practice <i>any</i> CA in the world can issue certificates for any domain.<p>Let&#x27;s recap: It&#x27;s 2015. They&#x27;re using SHA-1 for <i>everything</i> (NOOOO!). They&#x27;re based in China, which has just said it wants to ban encryption. (So has Cameron in the UK, yes, but at least he hasn&#x27;t won an election yet. Edit: he pledged to <i>if he wins</i>; we have a coalition government, nobody won last time, least of all us! &lt;g&gt;) It looks like they&#x27;ve messed up OSCP, so even their own cert doesn&#x27;t pass. Oh, and RC4, TLS 1.0 only, check out their login server: <a href="https://www.ssllabs.com/ssltest/analyze.html?d=login.wosign.com" rel="nofollow">https:&#x2F;&#x2F;www.ssllabs.com&#x2F;ssltest&#x2F;analyze.html?d=login.wosign....</a> - let&#x27;s put the (slightly) stronger ones at the end, everyone! Ugh.<p>Let&#x27;s Encrypt will do it <i>properly</i>. Or Else™. ;)

&gt; great free StartSSL<p>It looks like they cleaned up their forums from when they were last mentioned[1] but I&#x27;ll still keep my distance.<p>Anything like this is really a bandaid for the real problem with SSL&#x2F;CA. As in why can&#x27;t I be a CA for my own domain? I think Android is a perfect example of this problem - if you import a CA cert using the built in Android credential storage every time you reboot it will show a vague and useless message saying that people may be spying on you. Not which CA cert was added and when - just &quot;hey, you added, on purpose, a CA cert. I&#x27;m just making sure you are aware of this&quot;.[2] I understand the warning? error?...err simply because now I can sign a cert for ANY domain and Android will accept it as legit. This makes sense for the average users who don&#x27;t understand or care what a CA is, not advanced users or enterprise users who will most likely use their own CA infrastructure. In this case - it would make more sense for them to be a CA over just company.tld rather than any domain.<p>Personally - I&#x27;m using a modified version of PHP-CA[3] (as in changed the OpenSSL defaults to something sane and fixed some small issues). It&#x27;s obviously not very advanced (for lack of better words kind of sucks) - but I wanted to hit the ground running with being my own CA for personal use and I have other projects I&#x27;m working on.<p>[1] - <a href="https://news.ycombinator.com/item?id=8901822" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=8901822</a><p>[2] - <a href="https://code.google.com/p/android/issues/detail?id=82036" rel="nofollow">https:&#x2F;&#x2F;code.google.com&#x2F;p&#x2F;android&#x2F;issues&#x2F;detail?id=82036</a><p>[3] - <a href="http://php-ca.sourceforge.net/" rel="nofollow">http:&#x2F;&#x2F;php-ca.sourceforge.net&#x2F;</a>

Seems they just recently passed Mozilla&#x27;s&#x2F;Google&#x27;s CA root inclusion process: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=851435" rel="nofollow">https:&#x2F;&#x2F;bugzilla.mozilla.org&#x2F;show_bug.cgi?id=851435</a><p>Edit: Hmm, looks like the free certs will never pass strict OCSP checks. As broken as the OCSP system is, I would still like to be able to check against it.

At risk of sounding xenophobic, you have to wonder if this is simply an effort to have Chinese-issued certificates become common place in the west. A common form of certificate pinning is based on the CA that issued the certificate (to allow certificate rotation). More Chinese issued certificates being used intentionally will make the mere fact that a certificate was issued by a Chinese CA less suspicious.

That&#x27;s really neat.<p>I just thought my past employee (used to have StartSSL but got rejected recently) have to buy an wildcard one for a year while &quot;Let&#x27;s Encrypt&quot; is not yet here, but this is just great. Will tell them to save their money.<p>Hope they&#x27;ll update MAC soon. Wonder if they have an option to sign only for an year, so expiry date won&#x27;t get past 2017. SHA1 should suffice for an year.

This offer sounds great!<p>However, I must ask -- what&#x27;s their business model?<p>Even as great as the offer is, this is akin to the free sample... Because once you deploy the <a href="https://" rel="nofollow">https:&#x2F;&#x2F;</a> address scheme, there is no going back. On the other hand, this would have been perfect if there was opportunistic encryption within HTTP.

&gt;Before you stop reading because you don&#x27;t trust a Chinese company for your website encryption please keep in mind that you don&#x27;t have to trust them at all! You generate the SSL key on your server and only send them the CSR (certificate signing request) which doesn&#x27;t contain any private information.<p>That&#x27;s not really the reason we might not trust a CA. The CA needs to make assurances that it won&#x27;t improperly sign certificates for an entity purporting to be the principal, e.g., DigiNotar. Maybe this CA has, but that&#x27;s still a weak argument.

In case you missed it: this is SHA 1, and will trigger browser warnings because it&#x27;s considered insecure.

Nice find! But given the amount of hassle to get one, your hourly rate must be very low. But I&#x27;m sure it will be the future to get near-0$ DV-certificates.<p>It&#x27;s a pity no CA besides StartCom and Comodo pick up the S&#x2F;MIME market. Both options are not very usable for non-IT people.

update: WoSign now has a new page <a href="https://buy.wosign.com/free/" rel="nofollow">https:&#x2F;&#x2F;buy.wosign.com&#x2F;free&#x2F;</a> which is in English, works without creating a account first and wraps up all the steps in one simple page. The issue with &quot;Submit request contains invalid data&quot; some people ran into was fixed as well :)

Anyone else is getting &quot;提交请求中,包含非法数据&quot; (Submit request contains invalid data) after completing all the steps?

Stolen right off of LowEndTalk.