On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html
One of the largest Chinese root certificate authority WoSign issued many fake certificates due to an vulnerability. WoSign's free certificate service allowed its users to get a certificate for the base domain if they were able to prove control of a subdomain. This means that if you can control a subdomain of a major website, say percy.github.io, you're able to obtain a certificate by WoSign for github.io, taking control over the entire domain.
And there is now strong circumstantial evidence that WoSign now owns - or at least, directly controls - StartCom: https://www.letsphish.org/?part=about There are mixed signals of incompetence and deliberate action here. Royce