The Certification Authority from China mistakenly issued an SSL certificate to the user for the GitHub domain.

The Chinese certification authority WoSign, which specializes in issuing free SSL certificates, mistakenly issued duplicate certificates for the base domains of Github and the University of Central Florida to the average user.

The error was discovered by one of the students of the educational institution - according to Mozilla employee Gervase Markham, who described this story, everything happened back in April 2016, but it became known only now.
')

What is the problem

In the spring of this year, a student at the University of Central Florida submitted a request for a certificate for the med.ucf.edu subdomain — he also indicated in the request the main domain of the educational institution (www.ucf.edu). To the surprise of the study, WoSign approved the application and issued the certificates. In the same way, the student was able to obtain certificates for GitHub domains - github.com, imtqy.com and www.imtqy.com .

This became possible due to an error in the certification center operation - it issued a free SSL certificate for the base domain if the user was able to confirm control over the subdomain. WoSign was informed about the detected error, but so far only the GitHub domain certificate has been revoked.

How to protect against such errors

As Markham noted, the certificate for ucf.edu has not been revoked, which indicates “the absence or the unwillingness of WoSign to check the database for similar errors”. This means that the certification authority may not be able to detect and revoke erroneously issued certificates.

Domain owners can independently try to find out whether another SSL certificate was issued for them - if this happens, then attackers will have ample opportunities to conduct attacks.

To do this, you can use the Certificate Transparency (CT) service - it allows private and corporate domain owners to see information about how many certificates have been issued for their domains. A number of certification centers are connected to the service, including WoSign.



Using CT does not prevent the use of already issued certificates, but lets you know about this feature.

Special services for finding certificates in the database Certificate Transparency released by Google and Comodo .