mozilla.dev.security thread: https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I/discussion
On Aug 30, 2016 10:12 PM, "Royce Williams" <ro...@techsolvency.com> wrote: > On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke <eric.kuh...@gmail.com> > wrote: > > > > http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html > > > > One of the largest Chinese root certificate authority WoSign issued many > > fake certificates due to an vulnerability. WoSign's free certificate > > service allowed its users to get a certificate for the base domain if > they > > were able to prove control of a subdomain. This means that if you can > > control a subdomain of a major website, say percy.github.io, you're > able to > > obtain a certificate by WoSign for github.io, taking control over the > > entire domain. > > > And there is now strong circumstantial evidence that WoSign now owns - > or at least, directly controls - StartCom: > > https://www.letsphish.org/?part=about > > There are mixed signals of incompetence and deliberate action here. > > Royce >
