Add SMTP credential leak incident for WoSign

master
Sven Slootweg 8 years ago
parent bf94ea6055
commit ab0b9043c7

@ -104,5 +104,6 @@ This list is sorted alphabetically by the names of the Certificate Authorities.
* __April 23, 2015:__ WoSign incorrectly issues a certificate for a university system by allowing the applicant to verify their ownership on a high port - while not in violation of CA requirements at the time, this is widely understood to be a bad idea. The incident was not reported to Mozilla as it should have been. ([source](https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/8leLkhpoCgAJ))
* __June 2015:__ WoSign incorrectly issues certificates for the base domains `www.ucf.edu`, `github.com`, `github.io`, and `www.github.io`, after an applicant verified their control of a *subdomain*. All of these certificates appear to have *not* been revoked at the time of writing (September 2016). The incident was, again, not reported to Mozilla as it should have been. ([source](https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-certificate-for-github-com), [source](https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/8leLkhpoCgAJ), [source](http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html))
* __August 2015:__ WoSign leaks SMTP credentials of their live support system, due to a misconfigured PHP instance that displays a full stacktrace. ([source](https://www.lowendtalk.com/discussion/comment/1242533/#Comment_1242533))
* __July 2016:__ WoSign is reported to have acquired StartCom, the evidence of which is published at letsphish.org. ([source](https://archive.is/8bSp6), full WARC archive in `sources/wosign-acquisition`)
* __September 2016:__ WoSign threatens the author of letsphish.org with legal action, despite his publication being based on public information. They also attempt to prevent the information from spreading further by claiming that any third-party distribution will result in more penalties for the original author. ([source](http://www.percya.com/2016/09/wosigns-secret-purchase-of-startcom.html), [source](https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/HpXF7QgMDQAJ))

Loading…
Cancel
Save