[191260] in North American Network Operators' Group
Re: Chinese root CA issues rogue/fake certificates
daemon@ATHENA.MIT.EDU (Mel Beckman)
Wed Aug 31 02:50:19 2016
X-Original-To: nanog@nanog.org
From: Mel Beckman <mel@beckman.org>
To: Eric Kuhnke <eric.kuhnke@gmail.com>
Date: Wed, 31 Aug 2016 06:50:12 +0000
In-Reply-To: <CAB69EHiHtJXM2NSnQ9sD4uv1JVv2cowgUpG34c1mOuRDbopfGw@mail.gmail.com>
Cc: "nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
We've received several unsolicited certificate approval requests from wosig=
n sign on high-value domain names we manage. Wosign has never responded to =
our requests for information about the requesters. There really isn't anyth=
ing we can do other than ignore the requests, but clearly somebody is pushi=
ng buttons to try to take over these domains or operate MITM attacks.
-mel beckman
> On Aug 30, 2016, at 11:03 PM, Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
>=20
> mozilla.dev.security thread:
>=20
> https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/k9P=
BmyLCi8I/discussion
>=20
>=20
>> On Aug 30, 2016 10:12 PM, "Royce Williams" <royce@techsolvency.com> wrot=
e:
>>=20
>> On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke <eric.kuhnke@gmail.com>
>> wrote:
>>>=20
>>> http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html
>>>=20
>>> One of the largest Chinese root certificate authority WoSign issued man=
y
>>> fake certificates due to an vulnerability. WoSign's free certificate
>>> service allowed its users to get a certificate for the base domain if
>> they
>>> were able to prove control of a subdomain. This means that if you can
>>> control a subdomain of a major website, say percy.github.io, you're
>> able to
>>> obtain a certificate by WoSign for github.io, taking control over the
>>> entire domain.
>>=20
>>=20
>> And there is now strong circumstantial evidence that WoSign now owns -
>> or at least, directly controls - StartCom:
>>=20
>> https://www.letsphish.org/?part=3Dabout
>>=20
>> There are mixed signals of incompetence and deliberate action here.
>>=20
>> Royce
>>=20
