We've received several unsolicited certificate approval requests from wosign sign on high-value domain names we manage. Wosign has never responded to our requests for information about the requesters. There really isn't anything we can do other than ignore the requests, but clearly somebody is pushing buttons to try to take over these domains or operate MITM attacks. -mel beckman
On Aug 30, 2016, at 11:03 PM, Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
mozilla.dev.security thread:
https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/k9PBmy...
On Aug 30, 2016 10:12 PM, "Royce Williams" <royce@techsolvency.com> wrote:
On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html
One of the largest Chinese root certificate authority WoSign issued many fake certificates due to an vulnerability. WoSign's free certificate service allowed its users to get a certificate for the base domain if
they
were able to prove control of a subdomain. This means that if you can control a subdomain of a major website, say percy.github.io, you're able to obtain a certificate by WoSign for github.io, taking control over the entire domain.
And there is now strong circumstantial evidence that WoSign now owns - or at least, directly controls - StartCom:
https://www.letsphish.org/?part=about
There are mixed signals of incompetence and deliberate action here.
Royce