From 13ccb47a1758158a789523e9c77dad6b30c2c26b Mon Sep 17 00:00:00 2001 From: Sven Slootweg Date: Thu, 8 Sep 2016 00:21:28 +0200 Subject: [PATCH] Add further WoSign incidents, per Mozilla wiki --- README.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e027f2b..d657ac5 100644 --- a/README.md +++ b/README.md @@ -102,8 +102,15 @@ This list is sorted alphabetically by the names of the Certificate Authorities. ### WoSign -* __April 23, 2015:__ WoSign incorrectly issues a certificate for a university system by allowing the applicant to verify their ownership on a high port - while not in violation of CA requirements at the time, this is widely understood to be a bad idea. The incident was not reported to Mozilla as it should have been. ([source](https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/8leLkhpoCgAJ)) -* __June 2015:__ WoSign incorrectly issues certificates for the base domains `www.ucf.edu`, `github.com`, `github.io`, and `www.github.io`, after an applicant verified their control of a *subdomain*. All of these certificates appear to have *not* been revoked at the time of writing (September 2016). The incident was, again, not reported to Mozilla as it should have been. ([source](https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-certificate-for-github-com), [source](https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/8leLkhpoCgAJ), [source](http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html)) +* __March 2015:__ WoSign is found to have issued over a thousand SHA1 certificates since January, that have a validity beyond January 1st, 2017. While not forbidden by CA requirements at the time, it was already strongly recommend against for security reasons. ([source](https://wiki.mozilla.org/CA:WoSign_Issues#Issue_D:_Long-Lived_SHA-1_Certs_.28Jan_-_Mar_2015.29)) +* __March 2015:__ WoSign issues two certificates that are identical in every sense, including their serial number, *except* for their notBefore (ie. validity start) dates. ([source](https://wiki.mozilla.org/CA:WoSign_Issues#Issue_F:_Certs_Identical_Except_For_NotBefore_.28Mar_2015.29)) +* __April 2015:__ WoSign issues 392 certificates with duplicate serial numbers. ([source](https://wiki.mozilla.org/CA:WoSign_Issues#Issue_H:_Duplicate_Serial_Numbers_.28Apr_2015.29)) +* __April 2015:__ WoSign violates a large number of CA requirements, and is found not to follow their own [Certification Practice Statement](https://en.wikipedia.org/wiki/Certification_Practice_Statement). ([source]()) ([source](https://wiki.mozilla.org/CA:WoSign_Issues#Issue_J:_Various_BR_Violations_.28Apr_2015.29)) +* __April 23, 2015:__ WoSign incorrectly issues a certificate for a university system by allowing the applicant to verify their ownership on a high port - while not in violation of CA requirements at the time, this is widely understood to be a bad idea. The incident was not reported to Mozilla as it should have been. ([source](https://wiki.mozilla.org/CA:WoSign_Issues#Issue_L:_Any_Port_.28Jan_-_Apr_2015.29), [source](https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/8leLkhpoCgAJ)) +* __June 2015:__ WoSign incorrectly issues certificates for the base domains `www.ucf.edu`, `github.com`, `github.io`, and `www.github.io`, after an applicant verified their control of a *subdomain*. All of these certificates appear to have *not* been revoked at the time of writing (September 2016). The incident was, again, not reported to Mozilla as it should have been. ([source](https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-certificate-for-github-com), [source](https://wiki.mozilla.org/CA:WoSign_Issues#Issue_N:_Additional_Domain_Errors_.28June_2015.29), [source](https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/8leLkhpoCgAJ), [source](http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html)) * __August 2015:__ WoSign leaks SMTP credentials of their live support system, due to a misconfigured PHP instance that displays a full stacktrace. ([source](https://www.lowendtalk.com/discussion/comment/1242533/#Comment_1242533)) -* __July 2016:__ WoSign is reported to have acquired StartCom, the evidence of which is published at letsphish.org. ([source](https://archive.is/8bSp6), full WARC archive in `sources/wosign-acquisition`) +* __November 2015:__ WoSign issues two certificates that use an unapproved cryptographic algorithm, and that appear to be duplicates of other certificates, including their serial number. ([source](https://wiki.mozilla.org/CA:WoSign_Issues#Issue_P:_Use_of_SM2_Algorithm_.28Nov_2015.29)) +* __January 2016:__ WoSign is caught backdating at least 60 certificates by a month, thus preventing browsers from blocking these certificates for the use of SHA1 after January 1st, 2016. ([source](https://wiki.mozilla.org/CA:WoSign_Issues#Issue_S:_Backdated_SHA-1_Certs_.28January_2016.29)) +* __June 2016:__ A certificate for `alicdn.com` that was issued by WoSign appears to be fraudulent. ([source](https://wiki.mozilla.org/CA:WoSign_Issues#Issue_T:_alicdn.com_Misissuance_.28June_2016.29)) +* __July 2016:__ WoSign is reported to have acquired StartCom in November of 2015, the evidence of which is published at letsphish.org. ([source](https://archive.is/8bSp6), full WARC archive in `sources/wosign-acquisition`, [source](https://wiki.mozilla.org/CA:WoSign_Issues#Issue_R:_Purchase_of_StartCom_.28Nov_2015.29)) * __September 2016:__ WoSign threatens the author of letsphish.org with legal action, despite his publication being based on public information. They also attempt to prevent the information from spreading further by claiming that any third-party distribution will result in more penalties for the original author. ([source](http://www.percya.com/2016/09/wosigns-secret-purchase-of-startcom.html), [source](https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/HpXF7QgMDQAJ))