Chinese root CA issues rogue/fake certificates

Royce Williams royce at
Wed Aug 31 05:11:52 UTC 2016

On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke <eric.kuhnke at> wrote:
> One of the largest Chinese root certificate authority WoSign issued many
> fake certificates due to an vulnerability.  WoSign's free certificate
> service allowed its users to get a certificate for the base domain if they
> were able to prove control of a subdomain. This means that if you can
> control a subdomain of a major website, say, you're able to
> obtain a certificate by WoSign for, taking control over the
> entire domain.

And there is now strong circumstantial evidence that WoSign now owns -
or at least, directly controls - StartCom:

There are mixed signals of incompetence and deliberate action here.


More information about the NANOG mailing list