Chinese root CA issues rogue/fake certificates
Mel Beckman
mel at beckman.org
Wed Aug 31 06:50:12 UTC 2016
We've received several unsolicited certificate approval requests from wosign sign on high-value domain names we manage. Wosign has never responded to our requests for information about the requesters. There really isn't anything we can do other than ignore the requests, but clearly somebody is pushing buttons to try to take over these domains or operate MITM attacks.
-mel beckman
> On Aug 30, 2016, at 11:03 PM, Eric Kuhnke <eric.kuhnke at gmail.com> wrote:
>
> mozilla.dev.security thread:
>
> https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I/discussion
>
>
>> On Aug 30, 2016 10:12 PM, "Royce Williams" <royce at techsolvency.com> wrote:
>>
>> On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke <eric.kuhnke at gmail.com>
>> wrote:
>>>
>>> http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html
>>>
>>> One of the largest Chinese root certificate authority WoSign issued many
>>> fake certificates due to an vulnerability. WoSign's free certificate
>>> service allowed its users to get a certificate for the base domain if
>> they
>>> were able to prove control of a subdomain. This means that if you can
>>> control a subdomain of a major website, say percy.github.io, you're
>> able to
>>> obtain a certificate by WoSign for github.io, taking control over the
>>> entire domain.
>>
>>
>> And there is now strong circumstantial evidence that WoSign now owns -
>> or at least, directly controls - StartCom:
>>
>> https://www.letsphish.org/?part=about
>>
>> There are mixed signals of incompetence and deliberate action here.
>>
>> Royce
>>
More information about the NANOG
mailing list