If you still trust WoSign's CA, time to nuke it from orbit. Apparently anyone can get a cert for GitHub now.https://twitter.com/pedromelo/status/770151127316885504 …
-
It's kind of amazing how the WoSign guy's response is basically "oops, sorry, won't happen again". Amazing incident response/disclosure.
WoSign issued not one, *two* GitHub certs: https://crt.sh/?id=29805567 https://crt.sh/?id=29647048 And they think no need to proactively revoke 0_o.
-
-
At least this one is not for http://github.com
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Ha, I forgot about that one! That was my pseudonym when I was testing the vulnerability. They were both mine.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
This is comedy gold. WoSign is spamming Chinese Let's Encrypt users with FUD about "foreign CAs". Oh, the irony.https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/5Lelu0oyDQAJ …
-
Meanwhile both WoSign's and StartCom's founders are using legal threats to suppress how WoSign bought StartCom:https://archive.is/QA61W
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.