We've received several unsolicited certificate approval requests from wosign sign on high-value domain names we manage. Wosign has never responded to our requests for information about the requesters. There really isn't anything we can do other than ignore the requests, but clearly somebody is pushing buttons to try to take over these domains or operate MITM attacks.
-mel beckman > On Aug 30, 2016, at 11:03 PM, Eric Kuhnke <eric.kuh...@gmail.com> wrote: > > mozilla.dev.security thread: > > https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I/discussion > > >> On Aug 30, 2016 10:12 PM, "Royce Williams" <ro...@techsolvency.com> wrote: >> >> On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke <eric.kuh...@gmail.com> >> wrote: >>> >>> http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html >>> >>> One of the largest Chinese root certificate authority WoSign issued many >>> fake certificates due to an vulnerability. WoSign's free certificate >>> service allowed its users to get a certificate for the base domain if >> they >>> were able to prove control of a subdomain. This means that if you can >>> control a subdomain of a major website, say percy.github.io, you're >> able to >>> obtain a certificate by WoSign for github.io, taking control over the >>> entire domain. >> >> >> And there is now strong circumstantial evidence that WoSign now owns - >> or at least, directly controls - StartCom: >> >> https://www.letsphish.org/?part=about >> >> There are mixed signals of incompetence and deliberate action here. >> >> Royce >>
