Changes

CA/WoSign Issues

75 bytes added, 18:06, 8 September 2016

Update to clarify that reporter did not report to WoSign

The reporter proved that there was a problem in two ways. They accidentally discovered that there was a problem when trying to get a [https://crt.sh/?id=29805563 certificate] for med.ucf.edu and mistakenly also applied for www.ucf.edu, which was approved. They then used their control of schrauger.github.com/schrauger.github.io to get [https://crt.sh/?id=29647048 a cert] for github.com, github.io, and www.github.io. They also obtained [https://crt.sh/?id=29805567 another github cert] using a different subdomain of github.io. These are both, in fact, instances of bug N2.

~~They reported this~~ WoSign discovered the github misissuances due to ~~WoSign~~a post-issuance review the following day, ~~giving only the Github certificates as an example~~triggered by "github" being on their list of high-value domains. Those certs were revoked. However, no further investigation was performed, and several other certificates were misissued subsequently. The bugs were fixed two months later, on August 10th, in an unrelated major update.

* Recently, the reporter of the issue got in touch with Google to note that the ucf.edu cert still had not been revoked almost a year later. The lack of revocation of the ucf.edu certificate strongly suggests that WoSign either did not or could not search their issuance databases for other occurrences of the same problem. Mozilla considers such a search a basic part of the response to disclosure of a vulnerability which causes misissuance, and expects CAs to keep records detailed enough to make it possible.

Gerv

Accountapprovers, antispam, confirm, emeritus

4,925

edits

Changes

CA/WoSign Issues

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

How to Contribute

MozillaWiki

Around Mozilla

Tools