nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Chinese root CA issues rogue/fake certificates

From: Eric Kuhnke <eric.kuhnke () gmail com>
Date: Tue, 30 Aug 2016 23:02:16 -0700
mozilla.dev.security thread:

https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I/discussion


On Aug 30, 2016 10:12 PM, "Royce Williams" <royce () techsolvency com> wrote:


On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke <eric.kuhnke () gmail com>
wrote:


http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html

One of the largest Chinese root certificate authority WoSign issued many
fake certificates due to an vulnerability.  WoSign's free certificate
service allowed its users to get a certificate for the base domain if

they

were able to prove control of a subdomain. This means that if you can
control a subdomain of a major website, say percy.github.io, you're

able to

obtain a certificate by WoSign for github.io, taking control over the
entire domain.



And there is now strong circumstantial evidence that WoSign now owns -
or at least, directly controls - StartCom:

https://www.letsphish.org/?part=about

There are mixed signals of incompetence and deliberate action here.

Royce
Previous By Date Next
Previous By Thread Next

Current thread: