Hello, welcome to the Tuesday, August 30th, 2016 edition of the Sansanet Storms and a Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Just yesterday I talked about the new version of OpenSEL and how it drops support for protocols like RC4 and ZEL version 2 but with all the attention paid

to weaknesses in ESL algorithms the big problem still remains certificate

authority the latest one here is WOSign which is a Chinese certificate authority

I wasn't familiar with them, but apparently

it was possible with this certificate authority if you control a subdomain that you will also

be given a certificate for the actual domain. As an example, a user at GitHub was able to get a certificate,

not just for his host name at GitHub, but also for GitHub.io. Same happened almost a year ago

to a student at the University of Central Florida who was given a certificate not

just for his host name at UCF.edu but also for UCF.edu.

The GitHub certificate has been revoked. The UCF.edu certificate apparently has not been revoked yet, but then again,

revocation causes problems as well. It doesn't always work as well as advertised. The real problem

is that one certificate like this is out there, it's really hard to pull it back.

The GitHub certificate, for example, was valid for three years and it would have expired June 10, 2018.

It is, of course, not known what other certificates may have been issued by WOSign.

They do appear to participate in certificate transparency,

so you should be able to search certificate transparency logs for your domain name

to make sure no invalid certificates have been issued.

And the FBI issued a flash alert with details regarding

scans against state board of election websites where SQL injection apparently was used in order

to exfiltrate data. The alert does not talk about any election manipulation. Sounds like they are more after stealing data than modifying it.

...