[IgorPartola]

OK, so this seems like a terrible vulnerability. Does anyone know if (a) StartSSL has been notified and (b) what has been their response. This seems like such a severe vulnerability that publishing it on Blogspot seems too low key. Shouldn't there be a CVE about this?

[pfg]

It has been fixed according to the article:

> In 9 March, 2016 During my research I was able to replicate the attack and issue valid certificates without verifying the ownership of the website which I will explain later in my post, the vulnerability was reported and fixed within hours.

[josteink]

This post needs to be higher up in the thread, and not people overreacting and demanding having them removed from browser's CA-stores etc.

[sdca]

It's absolutely not an overreaction if it really happened. However, no hard evidence has been presented yet. I'm seeing screenshots and a story that anyone could have cooked up.

[technion]

    a CVE

What would be the practical use of issuing a CVE for a vulnerability in custom code in one website? It's not like I'm going to run Nessus to scan my own network for this.