← WoSign CA Limited cases
Bugzilla #1293366
Certificate Misissuance
WoSign issued SHA-1 SSL certs and backdated the issuance date on SSL certificates
RESOLVED
WoSign CA Limited
AI Summary
WoSign CA Limited was found to have issued SHA-1 SSL certificates with backdated issuance dates. This issue was reported by Christiaan Ottow and raised concerns about the potential misuse of a non-public API that allowed backdated certificate issuance. WoSign responded by revoking the affected certificates and implementing measures to prevent future mis-issuance, including logging all issued certificates to public CT logs.
Chronology
- Issue reported by Christiaan Ottow
- Bug filed and initial responses from WoSign
- WoSign confirmed the mis-issuance and provided details
- Further discussions on the implications and actions taken
- Mozilla took action regarding WoSign
Participants
Kathleen Wilson
Richard Wang
Christiaan Ottow
Filip Jirsak
Gervase Markham
External References
Similar Local Cases
Let's Encrypt: Attacker-controlled google.tg certificate being used in the wild.
SHA-1 issuance by Visa root
StartCom StartEncrypt vulnerability allowed issuance of fraudulent google.com, dropbox.com, etc certificates
SHA-1 issuance by DocuSign root
Let's Encrypt: certs issued contrary to CPS due to incomplete blocklist
DigiCert / Inteso San Paulo: Double dot characters
SHA-1 issuance by DigiCert roots
Let's Encrypt: CAA Misissuances