All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
WoSign confirmed to own StartCom
This appeared on the mozilla.dev.security.policy
mailing list two days ago. I figured I'd create a new thread, since circumstances have changed and the previous WoSign thread became a bit of a mess.
So to summarise our understanding: as of today, StartCom IL (sole
director: Richard Wang) is 100% owned by StartCom UK (two directors:
Richard Wang and Iñigo Barreira), which is 100% owned by StartCom HK
(sole director: Richard Wang), which is 100% owned by the CA WoSign
(CEO: Richard Wang).
[...]
It seems clear to us from the above account that, if our understanding
is correct, this transaction fits this requirement - ownership control
of the CA's operations has changed, and StartCom is now wholly owned and
controlled by WoSign. However, the change in ownership was not reported
to Mozilla.
[...]
When questioned, representatives of StartCom and WoSign have
specifically denied that anything had happened which needed to be
reported to Mozilla, even when this particular clause of the policy was
drawn to their attention.
[...]
Though browsers were already in the process of investigating this
ownership structure due to independent reports, when a former employee
of StartCom attempted to raise broader awareness of these concerns,
StartCom responded with legal threats. Without taking a position on the
validity of any legal action, we do find it worrying that such
disclosure would be met with denials and what appears to be an attempt
to suppress this public information, as it does not engender confidence
or trust.
Additionally, it is notable that StartCom and WoSign, despite this
relationship, have continued to exercise two votes in the CAB Forum. [...]
By contrast, the CA brands Symantec, Verisign and Thawte together
have a single vote because they are controlled by the same company. This
latter behaviour is in line with CAB Forum bylaw 2.2 (b): “Only one vote
per Member company shall be accepted; representatives of corporate
affiliates shall not vote.”
(source)
I'd say it's pretty clear by this point that neither WoSign nor StartCom are to be trusted anymore.
If you're currently using StartCom or WoSign: Consider moving away to Let's Encrypt (from the EFF and others), which offers free certificates without dodgy crap like this. To make setup easier, you might also want to have a look at Caddy.
Comments
I revoked WoSign and StartCom root / intermediate a long time ago on all my machines...
Whats wrong with WoSign free SSL certificates?
Here are some WoSign issues documented by Mozilla:
https://wiki.mozilla.org/CA:WoSign_Issues
Here's a bigger list: https://git.cryto.net/joepie91/ca-incidents#wosign
So, WoSign is owned by ?
OVH ? CC ? Frantech ? or better yet Dewlance ?
Jokes aside, I expected something fishy with WoSign.
This might not be enough, as WoSign root-cert is cross-signed by Asseco and Comodo too. BTW, there is pretty impressive list of issues concering WoSign:
https://wiki.mozilla.org/CA:WoSign_Issues
So...StartCom SSL certs were always "you need to add them to your browser", right?
Why would someone pay 10 cents for such a company? You could make a new company that does the same thing easily.
I mean, essentially it's a CA that isn't an official CA, which means that in terms of hassle, it's the same as supporting self-signed certs.
Unless I'm missing something...I never saw the point of StartCom. The advantage of a CA is that strangers trust your certs, which StartCom could never promise because they required a browser add.
THE CHINESE
No, they were not. You're probably thinking CACert. And look your entire post is now pointless.
I think your talking about CACert which requires a browser add. StartCom's root certs are in most major OSs by default. Windows 7 has had it from the start. XP machines would trust it if windows update is enabled and downloaded the new trusted CA update. Most linux distros also have their certificate, I use the class2 service from them and haven't run into a computer that didn't trust them by default.
Edit:
@rm_ is faster then me
Pretty typical for my posts, though, wouldn't you say?
Thanks for the correction!
Thanks! It looks like it's just an issue of serial technical incompetence, so I don't see why getting a cert from them is a bad idea. When their app/system/whatever gets tricked, the "falsely generated" cert for site X is valid regardless of where the owner of site X bought his true one.
Corrected your post to match the "don't be a dick" rule. Thank me later!
Sure. My recommendation is more in light of the fact that WoSign has a pretty good chance of getting blacklisted as a root - if not now, then soon. At that point, your WoSign/StartCom certificates stop working, and especially when using HSTS, that means you're effectively down.
So... it's more of a "leave the sinking ship before it sinks and you perish along with it" recommendation than anything else.
He wrote 5 paragraphs of being a dick at StartCom, with all of that being misdirected. And you're blaming me?
I apologise. I did not know about your intense feelings towards StartCom and your urge to defend them or did not catch the gentle humour. I will take that into account next time and keep my mouth shut!
It was only 4 paragraphs
I suspect a Ninja Edit... ;-)
Anyway to easily remove them on linux / windows?