Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Startcom Allegedly Purchased by WoSign
New on LowEndTalk? Please Register and read our Community Rules.

Startcom Allegedly Purchased by WoSign

KobeKobe Member
edited August 2016 in Providers

A little bit dull and old, but a former Startcom employees appears to have accused WoSign of buying StartSSL, thereby putting it under the control of principals located in the People's Republic of China.

I don't think most people care, and the privacy implications are not extremely significant, but still an interesting read.

His website: https://www.letsphish.org/

Thanked by 1mailcheap
«1

Comments

  • century1stopcentury1stop Member
    edited August 2016

    accused? is China or Startcom employees communist? never heard of free market?

  • KobeKobe Member

    century1stop said: accused? is China or Startcom employees communist? never heard of free market?

    Kind of a moot point when significant government and legal intervention exists in the Chinese market.

  • Legal intervention or otherwise, Chinese corp are allowed to takeover foreign org and China at this point are opening more doors to locals and foreigners alike, moving towards lesser communist type administration, possibly a democracy later. As you can see, China is busy establishing international brands, Li Ning, Huawei, Xiaomi, etc. and it is no surprise they will buy over established brands/corps to do just that.

  • iTK98iTK98 Member
    edited September 2016

    (I'm the owner of letsphish.org)

    Legal issues...

  • 2 separate corp entities I'm afraid, it isn't an issue. I guess wosign is in it for the technology and running Startcom from the UK isn't a problem. There are tons of companies doing just that.

  • joepie91joepie91 Member, Patron Provider

    @century1stop said:
    2 separate corp entities I'm afraid, it isn't an issue. I guess wosign is in it for the technology and running Startcom from the UK isn't a problem. There are tons of companies doing just that.

    It is an issue if they are not transparent about it.

  • jarjar Patron Provider
    edited September 2016

    Content removed as a courtesy for @iTK98

    Thanked by 1iTK98
  • Incident 2

    In July 2016, it became clear that there was some problems with the

    StartEncrypt automatic issuance service recently deployed by the CA
    StartCom. As well as other problems it had, which are outside the scope
    of this discussion, changing a simple API parameter in the POST request
    on the submission page changed the root certificate to which the
    resulting certificate chained up. The value "2" made a certificate
    signed by "StartCom Class 1 DV Server CA", "1" selected "WoSign CA Free
    SSL Certificate G2" and "0" selected "CA 沃通根证书", another root
    certificate owned by WoSign and trusted by Firefox.

    Using the value "1" led to a certificate which had a notBefore date

    (usage start date) of 20th December 2015, and which was signed using the
    SHA-1 checksum algorithm.

    • The issuance of certificates using SHA-1 has been banned by the

    Baseline Requirements since January 1st, 2016. Browsers, including
    Firefox, planned to enforce this[2] by not trusting certs with a
    notBefore date after that date, but in the case of Firefox the fix had
    to be backed out due to web compatibility issues. However, we are
    considering how/when to reintroduce it, and CAs presumably know this.

    • The issuance of backdated certificates is not forbidden, but is listed

    in Mozilla's list of Problematic Practices[3]. It says "Minor tweaking
    for technical compatibility reasons is accepted, but backdating
    certificates in order to avoid some deadline or code-enforced
    restriction is not."

    • WoSign deny that their code backdated the certificates in order to

    avoid browser-based restrictions - they say "this date is the day we
    stop to use this code"[4]. If that is true, it is not clear to us how
    StartCom came to deploy WoSign code that WoSign itself had abandoned.

    • It seems clear from publicly available information that StartCom's

    issuance systems are linked to WoSign's issuance systems in some way.
    Nevertheless, it should not have been possible for an application for a
    cert from StartCom to produce a cert signed by WoSign.

    • This misissuance incident was not reported to Mozilla by WoSign as it

    should have been.


    https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I

    they are very clearly not separate structural entities

  • raindog308raindog308 Administrator

    century1stop said: accused? is China or Startcom employees communist?

    Well, um, yes, China is a Communist country. The government of China will tell you that. Is this really news to you?

    Or are you just trying to slap some freedom paint on the Chinese flag to cover it up?

    jarland said: Personally I'm always interested to know when I'm trusting security to someone in a communist country. Their government doesn't even pretend to hold up to my ideals, and specifically spends a ton of money to block their citizens from learning about their own history. Every government may have its problems, but China and Internet freedom are hilariously incompatible and I think it's not intellectually honest to suggest otherwise.

    This.

    century1stop said: Legal intervention or otherwise, Chinese corp are allowed to takeover foreign org and China at this point are opening more doors to locals and foreigners alike, moving towards lesser communist type administration, possibly a democracy later.

    Yeah..."later"...perhaps the rest of the planet will be more receptive "later"...

  • rm_rm_ Member

    raindog308 said: China is a Communist country

    China is as much communist, as the Democratic People's Republic of Korea (often referred to as North Korea) is democratic.

  • doghouchdoghouch Member
    edited August 2016

    @rm_ said:

    raindog308 said: China is a Communist country

    China is as much communist, as the Democratic People's Republic of Korea (often referred to as North Korea) is democratic.

    They are technically a democracy, with the exception that Kim runs in the only party there. (and if you don't vote for him, he's still in power, so he can publicly execute you like everyone else)

  • mailcheapmailcheap Member, Host Rep

    Chinese person owning a UK front to run an Israeli CA. Seems pretty sweet! The only issue would be if they were to move to China, which they didn't. WoSign was an intermediate CA who issued bad certs; anyone with a spare $20k and valid docs can be an int. CA!

  • Maybe they incorporated in UK just not to be under the laws of China. Anyhow, from the time Let's Encrypt or CloudFlare SSL started, never had the need of StartSSL anymore.

    Thanked by 1netomx
  • mailcheapmailcheap Member, Host Rep

    @Catalin said:
    Maybe they incorporated in UK just not to be under the laws of China. Anyhow, from the time Let's Encrypt or CloudFlare SSL started, never had the need of StartSSL anymore.

    For those of us needing OV/EV SSL, its still the best bang for buck!

  • Again: Israel already HAS FULL CONTROL OF STARTCOM.

    Our laws allow in a war situation - which is the permanent case since 2006's Lebanon war - that the Shabak (-> DoD/FBI mix) and Mossad (-> CIA essentially) obtain any data required from any local company or locally controller company without a public order (or, in most cases, with none at all).

    The Chinese laws are not much worse and if any it lowers cooperation with the US (which Startcom would do but Chinese are unlikely to).

    Thanked by 1colingpt
  • WilliamWilliam Member
    edited September 2016

    raindog308 said: China is a Communist country. The government of China will tell you that

    No, they do not. The party line is that the Chinese communism is NOT Lenin or Marx based but an asian adaption that incorporates free market and other western and especially Chinese specialities. By definition this cannot be communism, they know that and everyone else does as well.

  • jarjar Patron Provider

    At the end of the day there's still one really important thing: StartSSL has always been over complicated junk. Especially with $3 certs and letsencrypt out there.

  • jarland said: At the end of the day there's still one really important thing: StartSSL has always been over complicated junk. Especially with $3 certs and letsencrypt out there.

    Yea, and sending your ID to Israel is rather... questionable, you never really know where it ends up (eg. Mossad is known to have used passports made with data of foreigners before).

    Thanked by 2mycosys vimalware
  • @William said:

    raindog308 said: China is a Communist country. The government of China will tell you that

    No, they do not. The party line is that the Chinese communism is NOT Lenin or Marx based but an asian adaption that incorporates free market and other western and especially Chinese specialities. By definition this cannot be communism, they know that and everyone else does as well.

    Finally there is someone knowing something about P.R.China. The most significant communism thing you may find is the expression in P.R.China constitution. Other than that, pls tell what's the difference between a communism China and a capitalism US/UK(or whichever you want)

    and pls, not democracy, if you really believe American or any other capitalism countries citizen have more "freedom", then I won't debate on that, you win and congratulations!

  • jarjar Patron Provider
    edited September 2016

    @colingpt said:

    @William said:

    raindog308 said: China is a Communist country. The government of China will tell you that

    No, they do not. The party line is that the Chinese communism is NOT Lenin or Marx based but an asian adaption that incorporates free market and other western and especially Chinese specialities. By definition this cannot be communism, they know that and everyone else does as well.

    Finally there is someone knowing something about P.R.China. The most significant communism thing you may find is the expression in P.R.China constitution. Other than that, pls tell what's the difference between a communism China and a capitalism US/UK(or whichever you want)

    and pls, not democracy, if you really believe American or any other capitalism countries citizen have more "freedom", then I won't debate on that, you win and congratulations!

    The Great Firewall and I can have as many daughters as I want without being forced by law to murder them. No need for debate :P

    Communism is fading in the marketplace in China. It is not fading in the control of the population and information. It will eventually get there, I've no doubt, but today that's just not where it's at. It may not be "true" communism but neither is the US "true" democracy, and yet we accept it as valid shorthand for our system of government. Creating variations of popular government types is not at all a new thing.

    I do not trust Internet safety to a country that goes to such efforts to ensure a lack of privacy and access to information on its entire population. I only trust my own country so far as knowing that my leaders are incompetent and that government is still not on par with the private sector.

    Of course, it's all a fairly useless point when I don't like the certificate authority in the first place. So why I would bother typing this is more of a question of "why haven't you had red bull yet today?"

    Thanked by 2daily mycosys
  • MicrolinuxMicrolinux Member
    edited September 2016

    @Kobe said:
    thereby putting it under the control of principals located in the People's Republic of China [...] the privacy implications are not extremely significant

    One of the craziest things I've heard so far.

  • I thought this is already known by everyone.

    i've been suspicious about this for months, only not having concrete proofs.

  • Many people confuse China by calling it "Communist" when they actually want to say "Authoritarian", since in many aspects Chinese political leadership and social rules are fundamentally similar to how the USSR operated and is a living proof that alternative political systems can in fact work and be competitive, and that's why people don't want China to be regarded the same politically as the EU or US.

    Thanked by 2colingpt vimalware
  • WilliamWilliam Member
    edited September 2016

    jarland said: I can have as many daughters as I want without being forced by law to murder them. No need for debate :P

    Uh, you... what? What law should that be?

    Forced abortion is a thing of the past in the PRC and was even then rare and not gender but much more policy related (one child policy), much more people died by malnutration by the great leap forward fail which also killed the birth rate before spiking it again.

    Abortion based on gender is federally/central (AFAIK) or provincial (additionally?) illegal, even ultrasound engineers/doctors at this time cannot (might have changed) tell you the gender of your child which is why they use "hints" for it ("cannot tell" = no penis = likely girl).

    Aborting girls is a cultural thing mostly as a boy is seen as provider for the family and prestige, the CENTRAL government (where it has full power control) does not like it at all as it also drops the gender rates which the technocrats - 100% correct - see as an issue for the future (and they plan ahead for around 50-100 years as you can see on the long term plans).

    jarland said: It may not be "true" communism

    No. It is not. As per the definition of real communism (which is impossible to achieve by limits of humans in mostly empathy and conscience but let's not get into that) Marx and extensions/differences in of eg. Lenin or Trotsky and some of the GDR party kadre (they wrote a LOT of books) it simply cannot be and never was.

    The PRC never really argued for this point either as we have seen (eh, not me due to age obviously) on the USSR split and their very clear descriptions of their own system and X year plans and their background (sadly i can't read Chinese books and they don't have good translations outside of sometimes Korean, Japanese or Russian - for older also rarely German but GDR style).

    jarland said: I do not trust Internet safety to a country that goes to such efforts to ensure a lack of privacy and access to information on its entire population

    I would advise to check your browser certificate store, you might find some surprises, China - Turkey - South Africa - Taiwan among others.

    Thanked by 2jar mycosys
  • @William said:

    jarland said: I can have as many daughters as I want without being forced by law to murder them. No need for debate :P

    Uh, you... what? What law should that be?

    Forced abortion is a thing of the past in the PRC and was even then rare and not gender but much more policy related (one child policy), much more people died by malnutration by the great leap forward fail which also killed the birth rate before spiking it again.

    Forced abortion (dubbed 'backstreet abortions') did still occur just under the radar and not officially.

  • OpticalSwoosh said: Forced abortion (dubbed 'backstreet abortions') did still occur just under the radar and not officially.

    Where? In some town with 2000 people in inner mongolia? Seriously, where do you get that info from? The birth rate is even in the official statistics again going up.

    The CN gov further does not give much shit about criticism (plus holds a security council seat snagged from the poor ROC) so if they want to continue abort, which has been done in the past and was even documented and partly praised, they most likely do it openly.

    Thanked by 1mycosys
  • Will China ever regain ROC again?

  • @ManofServer said:
    in many aspects Chinese political leadership and social rules are fundamentally similar to how the USSR operated and is a living proof that alternative political systems can in fact work and be competitive

    You can make just about any political system "work" and be "competitive". The relevant question is at what cost are these things accomplished?

    and that's why people don't want China to be regarded the same politically as the EU or US.

    Er, China is not regarded as politically the same as the EU or US because they have a different political system . . .

  • ManofServer said: Will China ever regain ROC again?

    No, but the PRC wants to always have the capability to do so which pressures Taiwan/ROC to play along. The status quo (minus the base building on islands) is favourable for all sides.

    Thanked by 1ManofServer
Sign In or Register to comment.