They have confirmed that it's a fake cert. Alibaba knew this prior to my contact and said they already contacted WoSign.
Percy Alpha(PGP <https://pgp.mit.edu/pks/lookup?op=vindex&search=0xF30D100F7FE124AE>) On Wed, Aug 31, 2016 at 3:15 AM, Gervase Markham <g...@mozilla.org> wrote: > On 29/08/16 22:53, Percy wrote: > > Gerv, I've notified the security team in Alibaba about this possible > fake cert and ask them to confirm that they have not applied a cert. > > It's unlikely that Alibaba will use a free cert from WoSign. As a > commercial site, they usually use Verisign or globalSign > > That might also help; thank you. Please ask them to contact me directly > to confirm this cert was not requested by them. > > Gerv > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
