nanog mailing list archives
Re: Chinese root CA issues rogue/fake certificates
From: Mel Beckman <mel () beckman org>
Date: Wed, 31 Aug 2016 06:50:12 +0000
We've received several unsolicited certificate approval requests from wosign sign on high-value domain names we manage. Wosign has never responded to our requests for information about the requesters. There really isn't anything we can do other than ignore the requests, but clearly somebody is pushing buttons to try to take over these domains or operate MITM attacks. -mel beckman
On Aug 30, 2016, at 11:03 PM, Eric Kuhnke <eric.kuhnke () gmail com> wrote: mozilla.dev.security thread: https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I/discussionOn Aug 30, 2016 10:12 PM, "Royce Williams" <royce () techsolvency com> wrote: On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke <eric.kuhnke () gmail com> wrote:http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html One of the largest Chinese root certificate authority WoSign issued many fake certificates due to an vulnerability. WoSign's free certificate service allowed its users to get a certificate for the base domain iftheywere able to prove control of a subdomain. This means that if you can control a subdomain of a major website, say percy.github.io, you'reable toobtain a certificate by WoSign for github.io, taking control over the entire domain.And there is now strong circumstantial evidence that WoSign now owns - or at least, directly controls - StartCom: https://www.letsphish.org/?part=about There are mixed signals of incompetence and deliberate action here. Royce
Current thread:
- Chinese root CA issues rogue/fake certificates Eric Kuhnke (Aug 30)
- Re: Chinese root CA issues rogue/fake certificates Royce Williams (Aug 30)
- Re: Chinese root CA issues rogue/fake certificates Eric Kuhnke (Aug 30)
- Re: Chinese root CA issues rogue/fake certificates Mel Beckman (Aug 30)
- Re: Chinese root CA issues rogue/fake certificates Royce Williams (Aug 31)
- Re: Chinese root CA issues rogue/fake certificates Matt Palmer (Aug 31)
- Re: Chinese root CA issues rogue/fake certificates Eric Kuhnke (Aug 31)
- Re: Chinese root CA issues rogue/fake certificates Lyndon Nerenberg (Aug 31)
- Re: Chinese root CA issues rogue/fake certificates Mark Andrews (Aug 31)
- Re: Chinese root CA issues rogue/fake certificates George William Herbert (Aug 31)
- Re: Chinese root CA issues rogue/fake certificates Eric Kuhnke (Aug 30)
- Re: Chinese root CA issues rogue/fake certificates Royce Williams (Aug 30)