Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


WoSign confirmed to own StartCom
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

WoSign confirmed to own StartCom

joepie91joepie91 Member, Patron Provider
edited September 2016 in General

This appeared on the mozilla.dev.security.policy mailing list two days ago. I figured I'd create a new thread, since circumstances have changed and the previous WoSign thread became a bit of a mess.

So to summarise our understanding: as of today, StartCom IL (sole

director: Richard Wang) is 100% owned by StartCom UK (two directors:
Richard Wang and Iñigo Barreira), which is 100% owned by StartCom HK
(sole director: Richard Wang), which is 100% owned by the CA WoSign
(CEO: Richard Wang).

[...]

It seems clear to us from the above account that, if our understanding

is correct, this transaction fits this requirement - ownership control
of the CA's operations has changed, and StartCom is now wholly owned and
controlled by WoSign. However, the change in ownership was not reported
to Mozilla.

[...]

When questioned, representatives of StartCom and WoSign have

specifically denied that anything had happened which needed to be
reported to Mozilla, even when this particular clause of the policy was
drawn to their attention.

[...]

Though browsers were already in the process of investigating this

ownership structure due to independent reports, when a former employee
of StartCom attempted to raise broader awareness of these concerns,
StartCom responded with legal threats. Without taking a position on the
validity of any legal action, we do find it worrying that such
disclosure would be met with denials and what appears to be an attempt
to suppress this public information, as it does not engender confidence
or trust.

Additionally, it is notable that StartCom and WoSign, despite this

relationship, have continued to exercise two votes in the CAB Forum. [...]
By contrast, the CA brands Symantec, Verisign and Thawte together
have a single vote because they are controlled by the same company. This
latter behaviour is in line with CAB Forum bylaw 2.2 (b): “Only one vote
per Member company shall be accepted; representatives of corporate
affiliates shall not vote.”

(source)

I'd say it's pretty clear by this point that neither WoSign nor StartCom are to be trusted anymore.

If you're currently using StartCom or WoSign: Consider moving away to Let's Encrypt (from the EFF and others), which offers free certificates without dodgy crap like this. To make setup easier, you might also want to have a look at Caddy.

Comments

  • I revoked WoSign and StartCom root / intermediate a long time ago on all my machines...

    Thanked by 1thatix
  • Whats wrong with WoSign free SSL certificates?

    Thanked by 1deadbeef
  • @TheKiller said:
    Whats wrong with WoSign free SSL certificates?

    Here are some WoSign issues documented by Mozilla:
    https://wiki.mozilla.org/CA:WoSign_Issues

    Thanked by 2TheKiller vimalware
  • joepie91joepie91 Member, Patron Provider

    @qrwteyrutiyoup said:

    @TheKiller said:
    Whats wrong with WoSign free SSL certificates?

    Here are some WoSign issues documented by Mozilla:
    https://wiki.mozilla.org/CA:WoSign_Issues

    Here's a bigger list: https://git.cryto.net/joepie91/ca-incidents#wosign

  • So, WoSign is owned by ?

    OVH ? CC ? Frantech ? or better yet Dewlance ?

    Jokes aside, I expected something fishy with WoSign.

  • @Shade said:
    I revoked WoSign and StartCom root / intermediate a long time ago on all my machines...

    This might not be enough, as WoSign root-cert is cross-signed by Asseco and Comodo too. BTW, there is pretty impressive list of issues concering WoSign:

    https://wiki.mozilla.org/CA:WoSign_Issues

  • raindog308raindog308 Administrator, Veteran

    So...StartCom SSL certs were always "you need to add them to your browser", right?

    Why would someone pay 10 cents for such a company? You could make a new company that does the same thing easily.

    I mean, essentially it's a CA that isn't an official CA, which means that in terms of hassle, it's the same as supporting self-signed certs.

    Unless I'm missing something...I never saw the point of StartCom. The advantage of a CA is that strangers trust your certs, which StartCom could never promise because they required a browser add.

  • rm_rm_ IPv6 Advocate, Veteran

    sdglhm said: So, WoSign is owned by ?

    THE CHINESE

  • rm_rm_ IPv6 Advocate, Veteran

    raindog308 said: StartCom SSL certs were always "you need to add them to your browser", right?

    No, they were not. You're probably thinking CACert. And look your entire post is now pointless.

  • CFarenceCFarence Member
    edited September 2016

    @raindog308 said:
    So...StartCom SSL certs were always "you need to add them to your browser", right?

    Why would someone pay 10 cents for such a company? You could make a new company that does the same thing easily.

    I mean, essentially it's a CA that isn't an official CA, which means that in terms of hassle, it's the same as supporting self-signed certs.

    Unless I'm missing something...I never saw the point of StartCom. The advantage of a CA is that strangers trust your certs, which StartCom could never promise because they required a browser add.

    I think your talking about CACert which requires a browser add. StartCom's root certs are in most major OSs by default. Windows 7 has had it from the start. XP machines would trust it if windows update is enabled and downloaded the new trusted CA update. Most linux distros also have their certificate, I use the class2 service from them and haven't run into a computer that didn't trust them by default.

    Edit:
    @rm_ is faster then me :)

  • raindog308raindog308 Administrator, Veteran

    rm_ said: No, they were not. You're probably thinking CACert. And look your entire post is now pointless.

    Pretty typical for my posts, though, wouldn't you say?

    Thanks for the correction!

  • Thanks! It looks like it's just an issue of serial technical incompetence, so I don't see why getting a cert from them is a bad idea. When their app/system/whatever gets tricked, the "falsely generated" cert for site X is valid regardless of where the owner of site X bought his true one.

  • rm_ said: No, they were not. You're probably thinking CACert. And look your entire post is now pointless.

    Corrected your post to match the "don't be a dick" rule. Thank me later!

  • joepie91joepie91 Member, Patron Provider

    @deadbeef said:
    I don't see why getting a cert from them is a bad idea. When their app/system/whatever gets tricked, the "falsely generated" cert for site X is valid regardless of where the owner of site X bought his true one.

    Sure. My recommendation is more in light of the fact that WoSign has a pretty good chance of getting blacklisted as a root - if not now, then soon. At that point, your WoSign/StartCom certificates stop working, and especially when using HSTS, that means you're effectively down.

    So... it's more of a "leave the sinking ship before it sinks and you perish along with it" recommendation than anything else.

    Thanked by 1deadbeef
  • rm_rm_ IPv6 Advocate, Veteran
    edited September 2016

    Amitz said: Corrected your post to match the "don't be a dick" rule. Thank me later!

    He wrote 5 paragraphs of being a dick at StartCom, with all of that being misdirected. And you're blaming me?

  • AmitzAmitz Member
    edited September 2016

    I apologise. I did not know about your intense feelings towards StartCom and your urge to defend them or did not catch the gentle humour. I will take that into account next time and keep my mouth shut! <3

  • raindog308raindog308 Administrator, Veteran

    It was only 4 paragraphs :)

  • raindog308 said: It was only 4 paragraphs :)

    I suspect a Ninja Edit... ;-)

  • Anyway to easily remove them on linux / windows?

Sign In or Register to comment.