WoSign mistakenly assigns two user certificates | SC Media
Architecture, Network security, Policy, Compliance

WoSign mistakenly assigns two user certificates

August 29, 2016

A Chinese certificate authority mistakenly handed out legitimate user certificates for Github and the University of Central Florida (UCF) to a couple of unauthorized users.

The Register reported that Chinese certificate authority service WoSign assigned the certificates more than a year ago and only partially resolved. The situation was revealed by Gervase Markham in a Google Mozilla security blog.

“In June 2015, an applicant found a problem with WoSign's free certificate service, which allowed them to get a certificate for the base domain if they were able to prove control of a subdomain,” Markham said.

In the UCF case WoSign mistakenly assigned a certificate for www.ucf.edu when an applicant was only trying to obtain a certificate for the subdomain med.ucf.edu. A researcher then used their control of several basic Github accounts to apply and receive a certificate for www.github.com.

prestitial ad