Chinese root CA issues rogue/fake certificates

• Subject: Chinese root CA issues rogue/fake certificates
• From: royce at techsolvency.com (Royce Williams)
• Date: Tue, 30 Aug 2016 21:11:52 -0800
• In-reply-to: <CA[email protected]>
• References: <CA[email protected]>

On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke <eric.kuhnke at gmail.com> wrote:
>
> http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html
>
> One of the largest Chinese root certificate authority WoSign issued many
> fake certificates due to an vulnerability.  WoSign's free certificate
> service allowed its users to get a certificate for the base domain if they
> were able to prove control of a subdomain. This means that if you can
> control a subdomain of a major website, say percy.github.io, you're able to
> obtain a certificate by WoSign for github.io, taking control over the
> entire domain.


And there is now strong circumstantial evidence that WoSign now owns -
or at least, directly controls - StartCom:

https://www.letsphish.org/?part=about

There are mixed signals of incompetence and deliberate action here.

Royce

• Follow-Ups:
  • Chinese root CA issues rogue/fake certificates
    • From: eric.kuhnke at gmail.com (Eric Kuhnke)
  • Chinese root CA issues rogue/fake certificates
    • From: royce at techsolvency.com (Royce Williams)

• References:
  • Chinese root CA issues rogue/fake certificates
    • From: eric.kuhnke at gmail.com (Eric Kuhnke)

• Prev by Date: Chinese root CA issues rogue/fake certificates
• Next by Date: Chinese root CA issues rogue/fake certificates
• Previous by thread: Chinese root CA issues rogue/fake certificates
• Next by thread: Chinese root CA issues rogue/fake certificates
• Index(es):
  • Date
  • Thread