WoSign mistakenly assigns two user certificates

Mozilla was never informed of the mistakes and only one has been resolved.
Mozilla was never informed of the mistakes and only one has been resolved.

A Chinese certificate authority mistakenly handed out legitimate user certificates for Github and the University of Central Florida (UCF) to a couple of unauthorized users.

The Register reported that Chinese certificate authority service WoSign assigned the certificates more than a year ago and only partially resolved. The situation was revealed by Gervase Markham in a Google Mozilla security blog.

“In June 2015, an applicant found a problem with WoSign's free certificate service, which allowed them to get a certificate for the base domain if they were able to prove control of a subdomain,” Markham said.

In the UCF case WoSign mistakenly assigned a certificate for www.ucf.edu when an applicant was only trying to obtain a certificate for the subdomain med.ucf.edu. A researcher then used their control of several basic Github accounts to apply and receive a certificate for www.github.com.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS