[191258] in North American Network Operators' Group
Re: Chinese root CA issues rogue/fake certificates
daemon@ATHENA.MIT.EDU (Royce Williams)
Wed Aug 31 01:12:26 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <CAB69EHjh+xLBzP+XoEUpo3fRYC_33aQWCEuDZPJc8MtxdshjQg@mail.gmail.com>
From: Royce Williams <royce@techsolvency.com>
Date: Tue, 30 Aug 2016 21:11:52 -0800
To: Eric Kuhnke <eric.kuhnke@gmail.com>
Cc: "nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
>
> http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html
>
> One of the largest Chinese root certificate authority WoSign issued many
> fake certificates due to an vulnerability. WoSign's free certificate
> service allowed its users to get a certificate for the base domain if they
> were able to prove control of a subdomain. This means that if you can
> control a subdomain of a major website, say percy.github.io, you're able to
> obtain a certificate by WoSign for github.io, taking control over the
> entire domain.
And there is now strong circumstantial evidence that WoSign now owns -
or at least, directly controls - StartCom:
https://www.letsphish.org/?part=about
There are mixed signals of incompetence and deliberate action here.
Royce