A Chinese certificate authority handed out a base certificate for GitHub and the Univerisity of Central Florida to a mere user in a significant security blunder.
British Mozilla programmer Gervase Markham reported the incident on the browser baron's mailing list saying it occurred more than a year ago in July 2015 but went unreported.
The gaffe meant university sysadmin Stephen Schrauger was handed a certificate for the GitHub domain from issuer WoSign.
It was the second time the researcher was able to score a base certificate from WoSign; the issuer also handed over a certificate for the university when a researcher accidentally applied for it instead of a subdomain.
"... an applicant found a problem with WoSign's free certificate service, which allowed them to get a certificate for the base domain if they were able to prove control of a subdomain," Markham says.
"They (the researcher) accidentally discovered it when trying to get a certificate for med.ucf.edu and mistakenly also applied for www.ucf.edu which was approved.
"They then confirmed the problem by using their control of their account.github.com/theiraccount.github.io to get a cert for github.com , github.io , and www.github.io."
Only the GitHub certificate was revoked despite that both were immediately reported as erroneously issued.
"The lack of revocation of the ucf.edu certificate strongly suggests that WoSign either did not or could not search their issuance databases for other occurrences of the same problem," Markham says.
"Mozilla considers such a search a basic part of the response to disclosure of a vulnerability which causes mis-issuance, and expects CAs to keep records detailed enough to make it possible."
WoSign chief executive officer wrote on the Mozilla thread that the company would 'do better'. ®