[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Chinese root CA issues rogue/fake certificates
- Subject: Chinese root CA issues rogue/fake certificates
- From: eric.kuhnke at gmail.com (Eric Kuhnke)
- Date: Tue, 30 Aug 2016 23:02:16 -0700
- In-reply-to: <CA+E3k91eiwyykLV05fVL89Fd=USe-pzuhFRx4SFaCnuYMYskKA@mail.gmail.com>
- References: <CAB69EHjh+xLBzP+XoEUpo3fRYC_33aQWCEuDZPJc8MtxdshjQg@mail.gmail.com> <CA+E3k91eiwyykLV05fVL89Fd=USe-pzuhFRx4SFaCnuYMYskKA@mail.gmail.com>
mozilla.dev.security thread:
https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I/discussion
On Aug 30, 2016 10:12 PM, "Royce Williams" <royce at techsolvency.com> wrote:
> On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke <eric.kuhnke at gmail.com>
> wrote:
> >
> > http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html
> >
> > One of the largest Chinese root certificate authority WoSign issued many
> > fake certificates due to an vulnerability. WoSign's free certificate
> > service allowed its users to get a certificate for the base domain if
> they
> > were able to prove control of a subdomain. This means that if you can
> > control a subdomain of a major website, say percy.github.io, you're
> able to
> > obtain a certificate by WoSign for github.io, taking control over the
> > entire domain.
>
>
> And there is now strong circumstantial evidence that WoSign now owns -
> or at least, directly controls - StartCom:
>
> https://www.letsphish.org/?part=about
>
> There are mixed signals of incompetence and deliberate action here.
>
> Royce
>