A Chinese certificate authority mistakenly handed out legitimate user certificates for Github and the University of Central Florida (UCF) to a couple of unauthorized users.
The Register reported that Chinese certificate authority service WoSign assigned the certificates more than a year ago and only partially resolved. The situation was revealed by Gervase Markham in a Google Mozilla security blog.
“In June 2015, an applicant found a problem with WoSign's free certificate service, which allowed them to get a certificate for the base domain if they were able to prove control of a subdomain,” Markham said.
In the UCF case WoSign mistakenly assigned a certificate for www.ucf.edu when an applicant was only trying to obtain a certificate for the subdomain med.ucf.edu. A researcher then used their control of several basic Github accounts to apply and receive a certificate for www.github.com.