刚在 V2EX 上看到,有人利用沃通证书签发系统的漏洞,成功签出了一张 GitHub 主域名的证书。 https://crt.sh/?id=29647048 Certificate: Data: Version: 3 (0x2) Serial Number: 5d:8f:2b:91:ef:b8:dd:65:af:4c:c1:2b:15:ef:4b:6e Signature Algorithm: sha256WithRSAEncryption Issuer: commonName = WoSign CA Free SSL Certificate G2 organizationName = WoSign CA Limited countryName = CN Validity Not Before: Jun 10 05:42:44 2015 GMT Not After : Jun 10 06:03:35 2018 GMT Subject: commonName = schrauger.github.io Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit ) Modulus: 00:e4:3b:a1:76:73:3c:b1:62:8d:53:6d:ef:a8:e9: 5b:9e:0e:15:63:e6:57:ac:cc:31:b3:48:2b:01:74: ae:d8:7d:1c:6b:ed:2a:40:45:36:62:83:ac:d7:a5: 80:9c:21:88:dc:ec:4d:ae:35:5d:65:e6:95:ee:81: 7a:1f:b5:a7:e9:19:f8:7a:42:...