Chinese Certificate Authority Leaked GitHub Certificates

  • Saad Qureshi
  • Aug-30-2016
  • 0 Comments

China: The Chinese certificate authority “WoSign” made the biggest security breach of all times, by handing over the base certificate of GitHub to an unidentified GitHub user.

The certificate authority is alleged for giving away the duplicate SSL certificates of a base domain to anyone who prove to have control over its subdomain. The breach in company’s certificate management system was discovered by a Mozilla programmer “Gervase Markham”.

According to Markham, an anonymous security researcher accidentally figured out the flaw in WoSign’s certificate management, when he wanted a certificate for “med.ucf.edu” but unintentionally requested for “www.ucf.edu”.

Surprisingly, WoSign approved his request and immediately handed over the base certificates of the domain. The researcher further explored the vulnerability by having control over a user-based subdomain, which was later utilized to get base certificates of GitHub.

“An applicant found a problem with WoSign’s free certificate service, which allowed them to get a certificate for the base domain if they were able to prove control of a subdomain.”

– An Official Statement by Gervase Markham

The Concern Has Just Begun

Around billions of netizens from across the globe rely on conventional certificate management system to ensure confidentiality of their data, without considering the associated risks.

However, a concerning element that has bothered various security researchers is that it’s still unclear that how many domain certificates have been exploited till now. In addition to this, WoSign needs to inform owners of the sites whose certificates have been shared with unauthorized individuals.

Saad Qureshi

Saad Qureshi

Author

Saad Qureshi's Biography :


Saad is a privacy advocate by day and a Dota 2 player by night. He loves to share his knowledge, experience, and insights about internet freedom and online privacy. When he is not busy blogging about the latest trend in the tech world, he is engaged in killing noobs on Dota.