Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Subscribe to our newsletter

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    WoSign confirmed to own StartCom
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    WoSign confirmed to own StartCom

    joepie91joepie91 Member, Provider
    edited September 2016 in General

    This appeared on the mozilla.dev.security.policy mailing list two days ago. I figured I'd create a new thread, since circumstances have changed and the previous WoSign thread became a bit of a mess.

    So to summarise our understanding: as of today, StartCom IL (sole

    director: Richard Wang) is 100% owned by StartCom UK (two directors:
    Richard Wang and Iñigo Barreira), which is 100% owned by StartCom HK
    (sole director: Richard Wang), which is 100% owned by the CA WoSign
    (CEO: Richard Wang).

    [...]

    It seems clear to us from the above account that, if our understanding

    is correct, this transaction fits this requirement - ownership control
    of the CA's operations has changed, and StartCom is now wholly owned and
    controlled by WoSign. However, the change in ownership was not reported
    to Mozilla.

    [...]

    When questioned, representatives of StartCom and WoSign have

    specifically denied that anything had happened which needed to be
    reported to Mozilla, even when this particular clause of the policy was
    drawn to their attention.

    [...]

    Though browsers were already in the process of investigating this

    ownership structure due to independent reports, when a former employee
    of StartCom attempted to raise broader awareness of these concerns,
    StartCom responded with legal threats. Without taking a position on the
    validity of any legal action, we do find it worrying that such
    disclosure would be met with denials and what appears to be an attempt
    to suppress this public information, as it does not engender confidence
    or trust.

    Additionally, it is notable that StartCom and WoSign, despite this

    relationship, have continued to exercise two votes in the CAB Forum. [...]
    By contrast, the CA brands Symantec, Verisign and Thawte together
    have a single vote because they are controlled by the same company. This
    latter behaviour is in line with CAB Forum bylaw 2.2 (b): “Only one vote
    per Member company shall be accepted; representatives of corporate
    affiliates shall not vote.”

    (source)

    I'd say it's pretty clear by this point that neither WoSign nor StartCom are to be trusted anymore.

    If you're currently using StartCom or WoSign: Consider moving away to Let's Encrypt (from the EFF and others), which offers free certificates without dodgy crap like this. To make setup easier, you might also want to have a look at Caddy.

    Comments

    • I revoked WoSign and StartCom root / intermediate a long time ago on all my machines...

      Thanked by 1thatix

      Hey there... nothing to see here

    • Whats wrong with WoSign free SSL certificates?

      Thanked by 1deadbeef
    • @TheKiller said:
      Whats wrong with WoSign free SSL certificates?

      Here are some WoSign issues documented by Mozilla:
      https://wiki.mozilla.org/CA:WoSign_Issues

      Thanked by 2TheKiller vimalware
    • joepie91joepie91 Member, Provider

      @qrwteyrutiyoup said:

      @TheKiller said:
      Whats wrong with WoSign free SSL certificates?

      Here are some WoSign issues documented by Mozilla:
      https://wiki.mozilla.org/CA:WoSign_Issues

      Here's a bigger list: https://git.cryto.net/joepie91/ca-incidents#wosign

    • So, WoSign is owned by ?

      OVH ? CC ? Frantech ? or better yet Dewlance ?

      Jokes aside, I expected something fishy with WoSign.

      time wasters please dont comment as we are a serious buyer
      Programmer trying to do Logo Designs

    • @Shade said:
      I revoked WoSign and StartCom root / intermediate a long time ago on all my machines...

      This might not be enough, as WoSign root-cert is cross-signed by Asseco and Comodo too. BTW, there is pretty impressive list of issues concering WoSign:

      https://wiki.mozilla.org/CA:WoSign_Issues

    • So...StartCom SSL certs were always "you need to add them to your browser", right?

      Why would someone pay 10 cents for such a company? You could make a new company that does the same thing easily.

      I mean, essentially it's a CA that isn't an official CA, which means that in terms of hassle, it's the same as supporting self-signed certs.

      Unless I'm missing something...I never saw the point of StartCom. The advantage of a CA is that strangers trust your certs, which StartCom could never promise because they required a browser add.

      For LET support, please visit the interim support desk.

    • sdglhm said: So, WoSign is owned by ?

      THE CHINESE

    • raindog308 said: StartCom SSL certs were always "you need to add them to your browser", right?

      No, they were not. You're probably thinking CACert. And look your entire post is now pointless.

    • CFarenceCFarence Member
      edited September 2016

      @raindog308 said:
      So...StartCom SSL certs were always "you need to add them to your browser", right?

      Why would someone pay 10 cents for such a company? You could make a new company that does the same thing easily.

      I mean, essentially it's a CA that isn't an official CA, which means that in terms of hassle, it's the same as supporting self-signed certs.

      Unless I'm missing something...I never saw the point of StartCom. The advantage of a CA is that strangers trust your certs, which StartCom could never promise because they required a browser add.

      I think your talking about CACert which requires a browser add. StartCom's root certs are in most major OSs by default. Windows 7 has had it from the start. XP machines would trust it if windows update is enabled and downloaded the new trusted CA update. Most linux distros also have their certificate, I use the class2 service from them and haven't run into a computer that didn't trust them by default.

      Edit:
      @rm_ is faster then me :)

    • rm_ said: No, they were not. You're probably thinking CACert. And look your entire post is now pointless.

      Pretty typical for my posts, though, wouldn't you say?

      Thanks for the correction!

      For LET support, please visit the interim support desk.

    • Thanks! It looks like it's just an issue of serial technical incompetence, so I don't see why getting a cert from them is a bad idea. When their app/system/whatever gets tricked, the "falsely generated" cert for site X is valid regardless of where the owner of site X bought his true one.

    • rm_ said: No, they were not. You're probably thinking CACert. And look your entire post is now pointless.

      Corrected your post to match the "don't be a dick" rule. Thank me later!

      "Actually, throughout my life, my two greatest assets have been mental stability and being, like, really smart.", Stephen Hawking, 2017. Join the Amitz party here.

    • joepie91joepie91 Member, Provider

      @deadbeef said:
      I don't see why getting a cert from them is a bad idea. When their app/system/whatever gets tricked, the "falsely generated" cert for site X is valid regardless of where the owner of site X bought his true one.

      Sure. My recommendation is more in light of the fact that WoSign has a pretty good chance of getting blacklisted as a root - if not now, then soon. At that point, your WoSign/StartCom certificates stop working, and especially when using HSTS, that means you're effectively down.

      So... it's more of a "leave the sinking ship before it sinks and you perish along with it" recommendation than anything else.

      Thanked by 1deadbeef
    • rm_rm_ Member
      edited September 2016

      Amitz said: Corrected your post to match the "don't be a dick" rule. Thank me later!

      He wrote 5 paragraphs of being a dick at StartCom, with all of that being misdirected. And you're blaming me?

    • AmitzAmitz Member
      edited September 2016

      I apologise. I did not know about your intense feelings towards StartCom and your urge to defend them or did not catch the gentle humour. I will take that into account next time and keep my mouth shut! <3

      "Actually, throughout my life, my two greatest assets have been mental stability and being, like, really smart.", Stephen Hawking, 2017. Join the Amitz party here.

    • It was only 4 paragraphs :)

      For LET support, please visit the interim support desk.

    • raindog308 said: It was only 4 paragraphs :)

      I suspect a Ninja Edit... ;-)

      "Actually, throughout my life, my two greatest assets have been mental stability and being, like, really smart.", Stephen Hawking, 2017. Join the Amitz party here.

    • Anyway to easily remove them on linux / windows?

    Sign In or Register to comment.