It was discovered that China's largest certificate authority "WoSign" issued fake certificate

ByBarney Moss

By issuing an SSL certificate for free, it is the largest certificate authority in China, which is handy for many home server usersYoetsu (WoSign)It was revealed that a large number of "fake certificate" was issued.

The story of how WoSign gave me an SSL certificate for GitHub.com | Schrauger.com
https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-certificate-for-github-com


Thoughts and Observations: Chinese CA WoSign faces revocation after possibly issuing fake certificates of Github, Microsoft and Alibaba
http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html

SSL stands for "Secure Socket Layer". By encrypting information and sending and receiving, you can securely exchange personal information and important data like credit card numbers on the net.

たとえば、ネットショッピングサイトであるAmazon.co.jpにFirefoxでアクセスすると、URLが「https://www.amazon.co.jp」というように「https」から始まっていて、その左側に鍵(南京錠)のマークがついています。これは、サイトがSSLを導入していることを示します。


On the site side, SSL can be introduced by having SSL server certificate issued and saved / installed on the server. The certificate authority that issues this certificate has Symantec, Global Signature, and Chinese WoSign. WoSign is a "WoSign Free SSL Certificate" that you can use for 3 years free of charge, and it has been useful for people who want to introduce SSL to home servers.

However, WoSign found that there was a vulnerability that it can issue a certificate of the base domain only with the sub-domain management right.

これは、セントラルフロリダ大学医学部のサイト管理を行っていたStephen Schrauger氏が偶然発見したもの。Schrauger氏は、医学部公式サイト(http://med.ucf.edu)をSSL対応にする際、経費節減になるかもと思って、2015年春に無料SSL証明書の発行を開始したWoSignで試しに証明書を取ることにしました。

UCF College of Medicine
https://med.ucf.edu/


Although it was possible to obtain the certificate for "med.ucf.edu" without any problem, when applying for adding "www" to the subdomain, Mr. Schrauger sent the subject domain to the medical school "www. Med.ucf.edu "instead of mistakenly entering the whole university" www.ucf.edu ".

Mr. Schrauger is "the administrator of the medical school site (med.ucf.edu)", not "the administrator of the university's site (ucf.edu)" but "ucf.edu" and "www.ucf.edu I can not touch it. Mr. Schrauger noticed that he was targeting the whole site of the university has noticed the mistake, but WoSign has issued a certificate of "ucf.edu" instead of "med.ucf.edu".

Mr. Schrauger who thought that it was "No way" conducted verification with Github given the user domain subdomain, but as a result succeeded in obtaining the certificate for "github.com" and "github.io" . There was a big hole in WoSign's certificate issuance, and it turned out that it is in a state to issue "fake certificate".

When reporting this case, the certificate for "github.com" "github.io" obtained by Mr. Schrauger was invalidated, but many users still disabled "fake certificate" by WoSign I know that it is not. It seems that this problem has been neglected for more than 14 months already.

According to Solidot, the Chinese version of Slashdot, measures within the security mailing list of Mozilla developer Gervase Markham, including WoSign's revocation of certificates, are being discussed.

Solidot | Mozilla thinking 虑 对 iodong CA acquisition behavior
http://www.solidot.org/story?sid=49448

Since WoSign is one of the largest certificate issuers in China and one in China's SSL compliant sites uses WoSign certificates, if WoSign's certificate is invalid, a major problem will arise It is thought to occur.