From a912027e614738032509407edaaa8f1fce00fdbb Mon Sep 17 00:00:00 2001 From: Sven Slootweg Date: Thu, 8 Sep 2016 00:24:11 +0200 Subject: [PATCH] Add StartEncrypt incident to WoSign incidents --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index d657ac5..5601863 100644 --- a/README.md +++ b/README.md @@ -112,5 +112,6 @@ This list is sorted alphabetically by the names of the Certificate Authorities. * __November 2015:__ WoSign issues two certificates that use an unapproved cryptographic algorithm, and that appear to be duplicates of other certificates, including their serial number. ([source](https://wiki.mozilla.org/CA:WoSign_Issues#Issue_P:_Use_of_SM2_Algorithm_.28Nov_2015.29)) * __January 2016:__ WoSign is caught backdating at least 60 certificates by a month, thus preventing browsers from blocking these certificates for the use of SHA1 after January 1st, 2016. ([source](https://wiki.mozilla.org/CA:WoSign_Issues#Issue_S:_Backdated_SHA-1_Certs_.28January_2016.29)) * __June 2016:__ A certificate for `alicdn.com` that was issued by WoSign appears to be fraudulent. ([source](https://wiki.mozilla.org/CA:WoSign_Issues#Issue_T:_alicdn.com_Misissuance_.28June_2016.29)) +* __July 2016:__ WoSign is involved in issuance of backdated SHA1 certificates in StartCom's StartEncrypt API, signed by WoSign rather than StartCom. The incident was not reported to Mozilla as it should have been. ([source](https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/8leLkhpoCgAJ)) * __July 2016:__ WoSign is reported to have acquired StartCom in November of 2015, the evidence of which is published at letsphish.org. ([source](https://archive.is/8bSp6), full WARC archive in `sources/wosign-acquisition`, [source](https://wiki.mozilla.org/CA:WoSign_Issues#Issue_R:_Purchase_of_StartCom_.28Nov_2015.29)) * __September 2016:__ WoSign threatens the author of letsphish.org with legal action, despite his publication being based on public information. They also attempt to prevent the information from spreading further by claiming that any third-party distribution will result in more penalties for the original author. ([source](http://www.percya.com/2016/09/wosigns-secret-purchase-of-startcom.html), [source](https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/HpXF7QgMDQAJ))