Chinese CA issued SSL-certificate for Github domain to simple user

locki

An applicant may receive a free SSL-certificate for the base domain, if he can confirm the control of a subdomain.

Chinese certification authority (CA) WoSign, specializing in the issue of free SSL-certificates, mistakenly issued certificates for basic domains Github and the University of Central Florida to simple user.

According to an Mozilla employee Gervase Markham, the incident occurred in April last year, but the company knowing of this just now. Vulnerability found one of the students of the University of Central Florida (his name is not disclosed).

The researcher has filed a request for a certificate for a subdomain med.ucf.edu, where accidentally specified another domain – www.ucf.edu. WoSign approved the application and issued certificates. In the same way a student could obtain certificates for domains github.com, github.io and www.github.io.

According to Markham, the problem lies in the fact that the applicant may receive a free SSL-certificate for the base domain, if he can confirm the control of a subdomain. WoSign was immediately informed of the error, however, they revoked certificate only for Github.

“Certificate for ucf.edu has not been withdrawn, indicating the absence of the possibility of any reluctance WoSign to check the database for such errors,” – said Markham.

Posted in Validation, Vulnerabilities Tagged with: , , , ,

All about SSL

This site is dedicated to SSL-certificates. You will learn what is an SSL certificate, how to issue and reissue it. FAQ SSL will be useful for both novices and pros. SSL Knowledgebase contains sections on validation, trust logo, vulnerabilities, SSL-certificates differences by type (Wildcard, EV, DV, etc.), as well as many other things.