An applicant may receive a free SSL-certificate for the base domain, if he can confirm the control of a subdomain.
Chinese certification authority (CA) WoSign, specializing in the issue of free SSL-certificates, mistakenly issued certificates for basic domains Github and the University of Central Florida to simple user.
According to an Mozilla employee Gervase Markham, the incident occurred in April last year, but the company knowing of this just now. Vulnerability found one of the students of the University of Central Florida (his name is not disclosed).
The researcher has filed a request for a certificate for a subdomain med.ucf.edu, where accidentally specified another domain – www.ucf.edu. WoSign approved the application and issued certificates. In the same way a student could obtain certificates for domains github.com, github.io and www.github.io.
According to Markham, the problem lies in the fact that the applicant may receive a free SSL-certificate for the base domain, if he can confirm the control of a subdomain. WoSign was immediately informed of the error, however, they revoked certificate only for Github.
“Certificate for ucf.edu has not been withdrawn, indicating the absence of the possibility of any reluctance WoSign to check the database for such errors,” – said Markham.