In deed, this has been seen in the wild in multiple instances as reported in the thread, aggregated here. I've notified related parties about the possible fake certs.
Possible fake cert for Github -- confirmed fake
Update: crt.sh is down after my post. Google's CT log here https://www.google.com/transparencyreport/https/ct/#domain=github.io&incl_exp=false&incl_sub=false&issuer=lPrsb9Gbn4s%3D
Possible fake cert for Alibaba, the largest commercial site in China -- confirmed fake
Possible fake cert for Microsoft
What's more shocking is WoSign's behavior after the vulnerability was disclosed to them.
WoSign never reported this misuse to root programs as required. WoSign's audit report didn't include such misuse either.
WoSign completely lacks the security knowledge needed for operating a CA. In the thread discussing potential sanction against WoSign, WoSign stated that
For incident 1 - mis-issued certificate with un-validated subdomain, total 33 certificates. We have posted to CT log server and listed in crt.sh, here is the URL. Some certificates are revoked after getting report from subscriber, but some still valid, if any subscriber think it must be revoked and replaced new one, please contact us in the system, thanks.14 months after the disclosure to WoSign about the vulnerability to obtain fake certificates, WoSign did nothing to address the mis-issued certificate.
WoSign doesn't even seem to understand the security flaw disclosed. WoSign stated "Some certificates are revoked after getting report from subscriber, but some still valid, if any subscriber think it must be revoked and replaced new one, please contact us in the system, thanks"
Let's recall how the attack works. Say, I want to acquire a fake cert issued to Github.io. Github allows me to control the subdomain percy.github.io. I then go to WoSign to demonstrate my control of percy.github.io. WoSign then issue me cert for percy.github.io but also github.io, which allows me to attack the entire github.io domain.
WoSign should have revoked certs issued with this vulnerability immediately. Instead, 14 months after the disclosure, WoSign's responded that, me, an attacker, should contact WoSign about this mis-issued cert and ask WoSign to revoke it. And this statement was posted in a thread about potential sanctions against WoSign! How WoSign, the largest CA in China can be such lack of security knowledge is beyond comprehension.
I originally didn't advocate for a revocation of WoSign in the thread.
The news about possible sanction against WoSign was reported by Solidot http://www.solidot.org/story?In light of WoSign's utter ignorance on security knowledge of CA, I call for revocation of WoSign from all root programs and blacklist all intermediate cert operated by WoSign and corss-signed by StarCom immediately.
sid=49448 (the Chinese version of Slashdot). Out of 12 comments in total (at the time of writing), 8 of them call for revocation of WoSign, the rest talks about the general bad security practices in China. In most Chinese institutions, most checks and verifications are just formality. Contracting to the case of CNNIC CA, I'm not advocating for an outright removal of WoSign (even though I revoked the CA personally). But the incorrect notBefore date suggests that a mandatory inclusion of CT of all certs ever issued is needed. Of course, WoSign needs to address other issues raised by Matt and Ryan in addition to the CT requirement.