Re: Chinese root CA issues rogue/fake certificates

[Mel Beckman <mel () beckman org>]

We've received several unsolicited certificate approval requests from wosign sign on high-value domain names we manage. 
Wosign has never responded to our requests for information about the requesters. There really isn't anything we can do 
other than ignore the requests, but clearly somebody is pushing buttons to try to take over these domains or operate 
MITM attacks.

 -mel beckman

> On Aug 30, 2016, at 11:03 PM, Eric Kuhnke <eric.kuhnke () gmail com> wrote:
>
> mozilla.dev.security thread:
>
> https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I/discussion
>
>
> > On Aug 30, 2016 10:12 PM, "Royce Williams" <royce () techsolvency com> wrote:
> >
> > On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke <eric.kuhnke () gmail com>
> > wrote:
> > > http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html
> > >
> > > One of the largest Chinese root certificate authority WoSign issued many
> > > fake certificates due to an vulnerability.  WoSign's free certificate
> > > service allowed its users to get a certificate for the base domain if
> > they
> > > were able to prove control of a subdomain. This means that if you can
> > > control a subdomain of a major website, say percy.github.io, you're
> > able to
> > > obtain a certificate by WoSign for github.io, taking control over the
> > > entire domain.
> >
> >
> > And there is now strong circumstantial evidence that WoSign now owns -
> > or at least, directly controls - StartCom:
> >
> > https://www.letsphish.org/?part=about
> >
> > There are mixed signals of incompetence and deliberate action here.
> >
> > Royce