China: The Chinese certificate authority “WoSign” made the biggest security breach of all times, by handing over the base certificate of GitHub to an unidentified GitHub user.
The certificate authority is alleged for giving away the duplicate SSL certificates of a base domain to anyone who prove to have control over its subdomain. The breach in company’s certificate management system was discovered by a Mozilla programmer “Gervase Markham”.
According to Markham, an anonymous security researcher accidentally figured out the flaw in WoSign’s certificate management, when he wanted a certificate for “med.ucf.edu” but unintentionally requested for “www.ucf.edu”.
Surprisingly, WoSign approved his request and immediately handed over the base certificates of the domain. The researcher further explored the vulnerability by having control over a user-based subdomain, which was later utilized to get base certificates of GitHub.
“An applicant found a problem with WoSign’s free certificate service, which allowed them to get a certificate for the base domain if they were able to prove control of a subdomain.”
– An Official Statement by Gervase Markham
The Concern Has Just Begun
Around billions of netizens from across the globe rely on conventional certificate management system to ensure confidentiality of their data, without considering the associated risks.
However, a concerning element that has bothered various security researchers is that it’s still unclear that how many domain certificates have been exploited till now. In addition to this, WoSign needs to inform owners of the sites whose certificates have been shared with unauthorized individuals.