If you still trust WoSign's CA, time to nuke it from orbit. Apparently anyone can get a cert for GitHub now.https://twitter.com/pedromelo/status/770151127316885504 …
-
More details on how WoSign and StartCom are being negligent in their duties as CAs:https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I …
It's kind of amazing how the WoSign guy's response is basically "oops, sorry, won't happen again". Amazing incident response/disclosure.
-
-
preeeeeetty sure CAs should have a *touch* more responsibility of disclosure than that... :|
-
Another gem: he basically says "we issued these certs without validating the domains, but no need to revoke unless customer requests".
- Show replies
New conversation -
-
-
WoSign issued not one, *two* GitHub certs: https://crt.sh/?id=29805567 https://crt.sh/?id=29647048 And they think no need to proactively revoke 0_o.
-
At least this one is not for http://github.com
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.