From ab0b9043c79d13076a2cf5a886760ddc2a84e430 Mon Sep 17 00:00:00 2001 From: Sven Slootweg Date: Fri, 2 Sep 2016 23:37:49 +0200 Subject: [PATCH] Add SMTP credential leak incident for WoSign --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 193d160..49ed59d 100644 --- a/README.md +++ b/README.md @@ -104,5 +104,6 @@ This list is sorted alphabetically by the names of the Certificate Authorities. * __April 23, 2015:__ WoSign incorrectly issues a certificate for a university system by allowing the applicant to verify their ownership on a high port - while not in violation of CA requirements at the time, this is widely understood to be a bad idea. The incident was not reported to Mozilla as it should have been. ([source](https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/8leLkhpoCgAJ)) * __June 2015:__ WoSign incorrectly issues certificates for the base domains `www.ucf.edu`, `github.com`, `github.io`, and `www.github.io`, after an applicant verified their control of a *subdomain*. All of these certificates appear to have *not* been revoked at the time of writing (September 2016). The incident was, again, not reported to Mozilla as it should have been. ([source](https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-certificate-for-github-com), [source](https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/8leLkhpoCgAJ), [source](http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html)) +* __August 2015:__ WoSign leaks SMTP credentials of their live support system, due to a misconfigured PHP instance that displays a full stacktrace. ([source](https://www.lowendtalk.com/discussion/comment/1242533/#Comment_1242533)) * __July 2016:__ WoSign is reported to have acquired StartCom, the evidence of which is published at letsphish.org. ([source](https://archive.is/8bSp6), full WARC archive in `sources/wosign-acquisition`) * __September 2016:__ WoSign threatens the author of letsphish.org with legal action, despite his publication being based on public information. They also attempt to prevent the information from spreading further by claiming that any third-party distribution will result in more penalties for the original author. ([source](http://www.percya.com/2016/09/wosigns-secret-purchase-of-startcom.html), [source](https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/HpXF7QgMDQAJ))